Technical Tip: Extending deception service between two sites using VXLAN over IPSec tunnel
Description
This article describes how to extend deception service between two sites using VXLAN over IPSec tunnel.
Scope
FortiGate: v6.2.0 build 0866, FortiDeceptor: v3.0.0 build 011.
Solution
Network Topology:
FortiDeceptor is installed on HQ and the deception network needs to be extended to a remote branch to be protected.
This article describes how to extend deception service between two sites using VXLAN over IPSec tunnel.
Scope
FortiGate: v6.2.0 build 0866, FortiDeceptor: v3.0.0 build 011.
Solution
Network Topology:
FortiDeceptor is installed on HQ and the deception network needs to be extended to a remote branch to be protected.
Configuration and Validation Overview:
To extend the deception network for HQ to a branch, follow these steps:
1) Initialize the VM Decoys in the HQ Deception network.
2) Configure IPSec Tunnel on HQ and Branch.
3) Create VXLAN tunnel over the IPSec tunnel on the HQ and Branch and create the software switch to bridge the VXLAN interface and local network on HQ and Branch.
4) Configure the firewall rules on HQ and Branch.
5) On the branch subnet, verify the connectivity to reach the same layer2 hosts on HQ.
6) Test the Decoy VMs can generate events from attacker originating from a branch network.
2) Configure IPSec Tunnel on HQ and Branch.
3) Create VXLAN tunnel over the IPSec tunnel on the HQ and Branch and create the software switch to bridge the VXLAN interface and local network on HQ and Branch.
4) Configure the firewall rules on HQ and Branch.
5) On the branch subnet, verify the connectivity to reach the same layer2 hosts on HQ.
6) Test the Decoy VMs can generate events from attacker originating from a branch network.
Configuration & Validation Details:
1) Initialize the VM Decoys in the HQ Deception network. Steps:
- Initialize FortiDeceptor to deploy VMs on 172.18.18.0/24 network on port2.
- Initialize the decoy VMs and assign the corresponding IP addresses as Linux decoy of 172.18.18.50/24 and Windows decoy of 172.18.18.60/24.
Enable SAMBA and SSH on the Linux decoy, SMB and RDP on the Windows decoy as lure services.
Valid pingable IP address is needed as a gateway for the decoys to initialize.
Initially, this is the FortiGate-HQ port10 IP address.
- Once initialized, verify the current status of the Decoys are running.
- Once initialized, verify the current status of the Decoys are running.
Note the highlighted decoys below.
2) Configure IPSec Tunnel on HQ and Branch.
- Phase1 configuration on FortiGate-HQ:
# config vpn ipsec phase1-interface
edit "branches"
set interface "port6"
set mode aggressive
set peertype one
set net-device enable
set proposal aes256-sha256
set remote-gw 10.0.0.106
set peerid "branches"
set psksecret ENC
iovalPlbcZMqkc72ILcxwkPpoYt+AjIgLbpaZPSHSFhwQezWLuhvBYr2mGnKVS+m94tdivOXeG
XmXT9YPPRcqKlV5gq1kRkYyqPd29nsrM03Enwnnu9eCdsujvBGQzgGWS7jSHlOuHo0lh8JicL
3KHb0Pat4RPrFvCwl2dBMkvviRngKz7lL5o3Ki/yDVl5SwLsr5A==
next
end
- Phase2 configuration on FortiGate-HQ:
# config vpn ipsec phase2-interface
edit "branches"
set phase1name "branches"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end
- Change the IP address of the IPSec tunnel Interface on FortiGate-HQ:
# config system interface
edit "branches"
set vdom "root"3
set ip 192.168.255.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.255.2 255.255.255.255
set interface "port6"
next
end
- Phase 1 configuration on FortiGate-Branch:
# config vpn ipsec phase1-interface
edit "HQ"
set interface "port2"
set mode aggressive
set peertype any
set net-device enable
set proposal aes256-sha256
set localid "branches"
set remote-gw 10.0.0.102
set psksecret ENC
oJupYf1CA6iB5ek8r8mbh7O5NODwYHXznYcndaxD3EDddzvD+BipAnImQJh142l2seqOLpi
zSRpuc5IVePlrVADbTlrN301JZxSinaEuSBvr66PkArnZOTk1K4YPVtdiRqR9NoAPWesF3I79EK
9Y0zLXIiMU+Zn+6Km7TeCmjDaezT6RVTp+oR6zrpMkrdZmvlkBIA==
next
end
- Phase 2 configuration on FortiGate-Branch:
# config vpn ipsec phase2-interface
edit "HQ"
set phase1name "HQ"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
- Change the IP address of the IPSec tunnel Interface on FortiGate-Branch:
# config system interface
edit "HQ"
set vdom "root"
set ip 192.168.255.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.255.1 255.255.255.255
set interface "port2"
next
end
The IPSec VPN between HQ and Branch should be up.
3) Create VXLAN tunnel over the IPSec tunnel on the HQ and Branch and create the software switch to bridge the VXLAN interface and local network on HQ and Branch.
- Create VXLAN interface over the IPSec Interface in FortiGate-HQ:
# config system vxlan
edit "br_vxlan"
set interface "branches"
set vni 1
set remote-ip "192.168.255.2"
next
end
- Create software switch to bridge LAN and VXLAN interfaces on FortiGate-HQ:
# config system switch-interface
edit "br_ipsec-vxlan"
set vdom "root"
set member "br_vxlan" "port10"
next
end
- Change the IP address of the software switch to replace the original gateway IP address on FortiGate-HQ:
# config system interface
edit "br_ipsec-vxlan"
set vdom "root"
set ip 172.18.18.254 255.255.255.0
set allowaccess ping
set type switch
next
end
- Create VXLAN interface over the IPSec Interface in FortiGate-Branch:
# config system vxlan
edit "HQ_vxlan"
set interface "HQ"
set vni 1
set remote-ip "192.168.255.1"
next
end
- Create software Switch to bridge LAN and VXLAN interfaces on FortiGate-Branch:
# config system switch-interface
edit "HQ_ipsec-vxlan"
set vdom "root"
set member "HQ_vxlan" "port1"
next
end
- Change the IP address of the software switch to replace the original gateway IP address on FortiGate-Branch:
# config system interface
edit "HQ_ipsec-vxlan"
set vdom "root"
set ip 172.18.18.244 255.255.255.0
set allowaccess ping
set type switch
set device-identification enable
set lldp-transmission enable
set fortiheartbeat enable
set role lan
next
end
4) Configure the firewall rules on HQ and Branch.
- Configure firewall policy for LAN to Internet in FortiGate-HQ:
# config firewall policy
edit 0
set name "FDC-LAN_To_INTERNET"
set srcintf "br_ipsec-vxlan"
set dstintf "port6"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set nat enable
next
end
- Configure firewall policy for LAN to Remote_LAN (SameSubnet in the branch) in Fortigate-HQ:
# config firewall policy
edit 0
set name "HQ_to_Branch"
set srcintf "br_ipsec-vxlan"
set dstintf "branches"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
- Configure firewall policy for LAN to Internet in FortiGate-Branch:
# config firewall policy
edit 0
set name "Local_Internet"
set srcintf "HQ_ipsec-vxlan"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end
- Configure firewall policy for LAN to Remote_LAN (Same Subnet in HQ) in FortiGate-Branch:
# config firewall policy
edit 0
set name "Allow_All"
set srcintf "HQ_ipsec-vxlan"
set dstintf "HQ"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set fsso disable
next
end
5) On the branch subnet, verify the connectivity to reach the same layer 2 hosts on HQ:
Note that Branch is able to access the internet locally along with the extended layer2 subnet in HQ.
The following diagram shows that attacker 172.18.18.234 is able to ping the Linux (172.18.18.50) and the Windows (172.18.18.60) decoys in HQ.
The attacker machine is able to access the internet at the same time (pinging 8.8.8.8).
6) Test the Decoy VMs can generate events from attacker originating from a branch network.
From the attacker machine, access the Linux Decoy via SSH.
From the attacker machine, access the Linux Decoy via SSH.
The Same way, all decoy services are accessible from the branch network within the same extended subnet.
