An earlier article described the software defined perimeter and how GoodAccess implements it via the Branch and Cloud Connector. This guide will show you how to work with the Branch Connector and how to successfully establish connections between your branches and virtual network.
The Branch & Cloud Connector is a built-in mechanism that allows you to connect branch routers and clouds to your GoodAccess virtual infrastructure easily and securely.
This approach is different from IP whitelisting, as using the Branch & Cloud Connector does not expose your static IP address to the internet.
Below are guides on how to connect a branch router from three major appliance providers - Cisco, Fortinet, and MikroTik.
In your GoodAccess Control Panel, go to Clouds & Branches and click Add new.
Under Type, select Branch, and select the IPsec protocol. Then fill out the following information:
Your new branch should appear in the list of branches.
Select the Configuration Guide from the Edit Branch menu on the right to display all the details you will need to configure in your Cisco router. Keep this window open for later reference.
Now, navigate to your Cisco router configuration and under the VPN section, go to IPsec Profiles.
Here, fill out the following:
Switch to Site-To-Site and fill out the fields as follows:
Remote Endpoint - select Static IP and type in the IP address of your GoodAccess gateway
Below, fill out the Local Group Setup.
Then, below, fill out the Remote Group Setup.
Subnet Mask - type “255.255.252.0”
Your Cisco router has been added to your GoodAccess infrastructure and is facilitating connection to your LAN resources. However, you still need to add the local resources via Systems. Click here to see how to do that.
Optionally, if you want to enable dead peer detection (DPD), switch to the Advanced Setup tab in the Site-To-Site section of your router configuration and check DPD Enable.
Then, click on the red floppy disk icon at the top of your screen. This will take you to Configuration Management. Here, click Apply.
In your GoodAccess Control Panel, go to Clouds & Branches and click Add new in the top-right corner of the screen.
Fill out the information in the same way as in the case of Cisco described above. Save the information as you will need it later.
Finish by clicking Add.
Your new branch should appear in the list in Clouds & Branches.
Click on the action button on the right and select Configuration guide to view the details of your branch. Keep this window open for later reference.
Now, navigate to your FortiGate configuration and under the Policy & Object section, go to Addresses. There, click on Create new and Address.
You now have to create two Addresses profiles - local and remote.
To set up your local profile, fill out the information as follows:
To set up your remote profile, fill out the form as follows:
Next, navigate to IPsec Tunnels under the VPN section and click Create New and then IPsec Tunnel.
Select Custom and click Next.
Here, you have to edit all the sections as indicated below.
In Network, click Edit and fill out the following:
In Authentication, click Edit and fill out the following:
IKE - choose version 2
In Phase 1 Proposal, click Edit and enter the same settings as you configured in GoodAccess.
In Phase 2 Selectors, click Edit and fill out the following:
Next, you need to configure routing.
In the Network section, go to Static Routes and click Create new.
Fill out the fields as follows:
Destination - choose Subnet and enter your GoodAccess gateway subnet IP followed by mask
The next step is to define the policy.
Go to the Policy & Objectives section and then Firewall Policy. Here, click Create New and fill out the following:
Finally, you need to create the policy once more, with the following changes:
Your FortiGate router is now part of your virtual infrastructure. However, you still need to add the local resources via Systems. Click here to see how to do that.
In your GoodAccess Control Panel, go to Clouds & Branches and add a new branch by clicking Add new.
Fill out the details as follows:
Now you will receive all the details and files you will need to configure your MikroTik.
Keep this window open until you have connected your MikroTik to GoodAccess.
Important: For security reasons, you cannot redisplay the password after you have closed this window. If you lose your password, you can generate a new one. We strongly recommend that you save it in a secure password manager.
Next, upload the following files to MikroTik's Files:
When you have uploaded the scripts, open the Mikrotik Terminal and run the following command:
Then fill out the details as follows:
If all goes well, you should get a message reading "Script file loaded and executed successfully.”
Check the connection in IP -> IPsec -> Policies and Active Peers.
You can also check the connection in the Configuration Guide window (earlier step) or via the Action button in Clouds & Branches.
Finally, you need to define your local resources in Systems to be able to access them. See this guide to see how to do that.