Ticket #9942: Multi-Site VPN Expansion
Priority: Critical | Assigned To: YouWe are expanding our secure network footprint. You are tasked with configuring two new IPsec site-to-site tunnels on the Branch Firewall:
- Tunnel 1: Primary link to Corporate HQ.
- Tunnel 2: Inventory link to the Regional Warehouse.
Configuration Requirements:
- Use the Network Topology to identify the Peer IP and correct Subnet Mask for each remote site.
- Apply encryption/hashing settings per the Corporate Security Policy (Section 4).
- Retrieve site-specific PSKs from the Enterprise Vault.
Network Diagram (Confidential)
Corporate HQ
Public IP:
203.0.113.50
Mask:
255.255.255.0
Warehouse
Public IP:
198.51.100.88
Mask:
255.255.255.240
INTERNET / WAN
Branch Office (You)
Gateway: 198.51.100.22
Security Standard
DOC-ID: SEC-STD-2024-V24.0 VPN Standards (Site-to-Site)
All new VPN tunnels must adhere to the following directives to ensure regulatory compliance:
| Protocol Version | IKEv2 |
|---|---|
| Cryptographic Strength | Must utilize current industry standard best practices for encryption and hashing to ensure robust protection. |
| Transmission Security | Configure the IPsec protocol and mode to ensure full data confidentiality of the payload and hide internal IP topology. |
| Diffie-Hellman | Group 14 |
Enterprise Vault
VPN: Corporate HQ
ID: hq-primary-link
••••••••••••••
VPN: Reg. Warehouse
ID: whse-inv-link
••••••••••••••
FW-BRANCH-01 > IPsec Config
ADMIN SESSION
* Configure both tunnels to complete module
Result
Analysis...
Instructor's Analysis
-
1.
Confidentiality Settings:
Security Policies usually mandate specific standards (e.g., AES-256). Choosing legacy options like DES or 3DES will cause immediate failure during the IKE Phase 1 proposal match. -
2.
Addressing & Routing:
The Subnet Mask is critical. For the warehouse, a/28(255.255.255.240) was required. A standard/24mask would misidentify the network boundary, preventing traffic flow.