Clik here to view.
IPv6 VPN Routing with Dynamic Prefixes
How to route traffic inside an IPv6 site-to-site VPN tunnel if one side offers only dynamic IPv6 prefixes? With IPv4, the private network segments were statically routed through the tunnel. But with a...
View ArticleClik here to view.
Where to terminate Site-to-Site VPN Tunnels?
When using a multilayer firewall design it is not directly clear on which of these firewalls remote site-to-site VPNs should terminate. What must be considered in such scenarios? Differentiate between...
View ArticleClik here to view.
FortiGate VPN Speedtests
Triggered by a customer who had problems getting enough speed through an IPsec site-to-site VPN tunnel between FortiGate firewalls I decided to test different encryption/hashing algorithms to verify...
View ArticleClik here to view.
FRITZ!Box VPN Speedtests
Ähnlich zum dem Site-to-Site VPN Throughput Test der FortiGate Firewalls wollte ich mal den FRITZ!Boxen auf den Zahn fühlen und herausfinden, in wie fern sich der VPN-Durchsatz bei den Modellen...
View ArticleClik here to view.
IPv6 through IPv4 VPN Tunnel with Palo Alto
The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Other tunneling methods such as...
View ArticleClik here to view.
Palo Alto VPN Speedtests
Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200...
View ArticleClik here to view.
IPsec Site-to-Site VPN FortiGate Cisco ASA
Following is a step-by-step tutorial for a site-to-site VPN between a Fortinet FortiGate and a Cisco ASA firewall. I am showing the screenshots of the GUIs in order to configure the VPN, as well as...
View ArticleClik here to view.
Site-to-Site VPNs with Diffie-Hellman Groups 19 & 20 (Elliptic Curve)
Similar to my test with Diffie-Hellman group 14 shown here I tested a VPN connection with the elliptic curve Diffie-Hellman groups 19 and 20. The considerations why to use these DH groups are listed in...
View ArticleClik here to view.
Juniper ScreenOS VPN Speedtests
Just for fun some more VPN throughput tests, this time for the late Juniper ScreenOS firewalls. I did the same Iperf TCP tests as in my labs for Fortinet and Palo Alto, while I was using six different...
View ArticleClik here to view.
IPv6 IPsec VPN Tunnel Palo Alto FortiGate
Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6...
View ArticleClik here to view.
IKEv2 IPsec VPN Tunnel Palo Alto FortiGate
And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for...
View ArticleClik here to view.
IKE Challenges
A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at...
View ArticleClik here to view.
IKEv1 & IKEv2 Capture
It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session...
View ArticleClik here to view.
IPsec Site-to-Site VPN FortiGate FRITZ!Box
Hier kommt ein kurzer Guide wie man ein Site-to-Site VPN zwischen einer FortiGate Firewall und einer AVM FRITZ!Box aufbaut. Anhand von Screenshots zeige ich die Einrichtung der FortiGate, während ich...
View ArticleClik here to view.
TROOPERS18: Dynamic IPv6 Prefix Problems and VPNs
Just a few days ago I gave a talk at Troopers 18 in Heidelberg, Germany, about the problems of dynamic (non-persistent) IPv6 prefixes, as well as IPv6 VPNs in general. Following are my slides and the...
View ArticleClik here to view.
True Random PSK Generator on a Raspi
In my previous blogpost I talked about the true random number generator (TRNG) within the Raspberry Pi. Now I am using it for a small online pre-shared key (PSK) generator at https://random.weberlab.de...
View ArticleClik here to view.
Route- vs. Policy-Based VPN Tunnels
There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one...
View ArticleClik here to view.
Types of VPN
Another small post out of my “At a Glance” series: The different types of virtual private networks (VPNs). Looking at Site-to-Site and Remote Access VPNs. This is one of many VPN articles on my blog....
View ArticleClik here to view.
Route-Based VPN Tunnel Palo Alto Cisco ASA
More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based...
View ArticleClik here to view.
Route-Based VPN Tunnel FortiGate Cisco ASA
More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN...
View Article