Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
5
Helpful
8
Replies

Opening ipsec tunnel flow

Go to solution
dhikra-marghli8
Level 1
Level 1

‎01-11-2024 07:21 AM

Hello

i have a question 

how Opening ipsec tunnel flow?  and what are the steps ?

 

Thanks

4 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-11-2024 07:53 AM

@dhikra-marghli8 to establish an IPSec VPN - if using a policy based VPN you need to generate interesting traffic from an IP address defined in the crypto ACL, this should then establish the VPN. If using a route based VPN then the tunnel should automatically be established.

View solution in original post

Go to solution
M02@rt37
VIP
VIP
In response to dhikra-marghli8

‎01-12-2024 03:48 AM

@dhikra-marghli8 

In a route-based VPN, the establishment of the VPN connection is based on the routing table. This means that the decision to send traffic through the VPN tunnel is made based on the destination address of the packet and the entries in the routing table.
Route-based VPNs use routes or policies to determine which traffic should be encrypted and sent through the VPN tunnel. This can involve static routes or dynamic routing protocols.
GRE can be used in conjunction with route-based VPNs to create a tunnel, but the actual routing decisions are made based on the routing table.

In a policy-based VPN, the decision to encrypt and send traffic through the VPN tunnel is based on specific policies or rules configured on the firewall.
IPsec, a commonly used protocol for VPNs, is often associated with policy-based VPNs. The policies define which traffic should be protected and how it should be protected (encryption parameters, authentication, etc.).
These policies are often tied to specific criteria such as source/destination IP addresses, protocols, or application types.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to dhikra-marghli8

‎01-12-2024 03:56 AM

***Policy based vpn (using acl) have one status 

Ipsec is active or not

This need as I mention before ping from lan to lan to make ipsec active 

***route-based vpn 

This have two status 

Tunnel is up or down

Ipsec ove this tunnel is active or not

 

Here tunnel status depend on reachability of tunnel destination  if not reachable then it down

And about ipsec 

As you mention we can use static or igp to direct traffic through tunnel

If we use static and we dont use keepalive then ipsec is not active and we need ping to make it active 

If we use igp then ipsec is active since the tunnel need ipsec to protect the igp packet between two end 

MHM

View solution in original post

Go to solution
M02@rt37
VIP
VIP

‎01-12-2024 04:06 AM

@dhikra-marghli8 

Côté FortiGate voilà une documentation intéressante:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Route-based-VPN-can-establish-an-IPsec-tunnel-with/ta-p/246669

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎01-11-2024 07:47 AM

I dont full get your Q 

But we ping from lan to lan to make ipsec tunnel up.

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-11-2024 07:53 AM

@dhikra-marghli8 to establish an IPSec VPN - if using a policy based VPN you need to generate interesting traffic from an IP address defined in the crypto ACL, this should then establish the VPN. If using a route based VPN then the tunnel should automatically be established.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-11-2024 08:19 AM - edited ‎01-11-2024 08:19 AM

its all depends what VPN we are discussion here, you need to put more information here to address correctly

as @Rob Ingram mentioned - you need intiate the traffic for the traffic flow end to end.

adding other note, if you using ASA you can use packet tracer also i guess.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎01-11-2024 08:45 AM

Hello @dhikra-marghli8 

@Rob Ingram  summarize perfectlu.

In policy-based VPNs, the tunnel is established based on defined policies. The initiation of the VPN tunnel is triggered by interesting traffic that matches the criteria specified in the crypto ACL. This traffic is then encrypted and sent through the VPN tunnel.

On the other hand, in route-based VPNs, the tunnel is typically always up, and it's associated with specific routes rather than traffic characteristics. This means that any traffic destined for the specified remote networks will automatically be directed through the established VPN tunnel. Route-based VPNs often use tunnel interfaces and are more flexible in handling various types of traffic.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
dhikra-marghli8
Level 1
Level 1
In response to M02@rt37

‎01-12-2024 03:30 AM

first question : route-based VPNs  what's mean ?   

we use route statique ou we will use routing protocols to open a flow between two networks ?? or GRE 

second question :

policy-based VPNs  means tunnel ipsec use policy firewall ? to open a flow ?

 

i wait a reply 

 

Thanks

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to dhikra-marghli8

‎01-12-2024 03:48 AM

@dhikra-marghli8 

In a route-based VPN, the establishment of the VPN connection is based on the routing table. This means that the decision to send traffic through the VPN tunnel is made based on the destination address of the packet and the entries in the routing table.
Route-based VPNs use routes or policies to determine which traffic should be encrypted and sent through the VPN tunnel. This can involve static routes or dynamic routing protocols.
GRE can be used in conjunction with route-based VPNs to create a tunnel, but the actual routing decisions are made based on the routing table.

In a policy-based VPN, the decision to encrypt and send traffic through the VPN tunnel is based on specific policies or rules configured on the firewall.
IPsec, a commonly used protocol for VPNs, is often associated with policy-based VPNs. The policies define which traffic should be protected and how it should be protected (encryption parameters, authentication, etc.).
These policies are often tied to specific criteria such as source/destination IP addresses, protocols, or application types.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
MHM Cisco World
VIP
VIP
In response to dhikra-marghli8

‎01-12-2024 03:56 AM

***Policy based vpn (using acl) have one status 

Ipsec is active or not

This need as I mention before ping from lan to lan to make ipsec active 

***route-based vpn 

This have two status 

Tunnel is up or down

Ipsec ove this tunnel is active or not

 

Here tunnel status depend on reachability of tunnel destination  if not reachable then it down

And about ipsec 

As you mention we can use static or igp to direct traffic through tunnel

If we use static and we dont use keepalive then ipsec is not active and we need ping to make it active 

If we use igp then ipsec is active since the tunnel need ipsec to protect the igp packet between two end 

MHM

Go to solution
M02@rt37
VIP
VIP

‎01-12-2024 04:06 AM

@dhikra-marghli8 

Côté FortiGate voilà une documentation intéressante:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Route-based-VPN-can-establish-an-IPsec-tunnel-with/ta-p/246669

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card