GoodAccess logo
FEATURES
Cloud VPNZero Trust NetworkSoftware Defined Perimeter
PRicing
RESOURCES
Product TourSupport PortalDownload AppsBlog
About Us
Contact Us
Create Free Account
See Pricing
CS

Live Demo: Configuring a Secure Remote Access to Development Environments

  • Set up a global team VPN with static IP
  • Connect development environments hosted in remote LANs, clouds or SaaS apps
  • Set up IP whitelisting to restrict access and protect data
  • Manage user accesses
Book Your Spot on Dec 8th
1 000+
Companies Secure
Their Teams
10 000+
Users Trust
GoodAccess
Capterra and G2 rating logos5 star rating
Rating on Capterra
and G2
Go back
Back
Go back
Back

How to Use the Branch Connector in GoodAccess

Knowledgebase
Networking
10
m read /
/
Mar 16, 2022
/ by
Petr Pecha

An earlier article described the software defined perimeter and how GoodAccess implements it via the Branch and Cloud Connector. This guide will show you how to work with the Branch Connector and how to successfully establish connections between your branches and virtual network.

Table of contents

  1. What is the Branch Connector?
  2. How to connect a branch to GoodAccess
  3. How to add a Cisco router
  4. Enabling dead peer detection
  5. How to add a FortiGate router
  6. How to add a MikroTik router

What is the Branch Connector?

The Branch & Cloud Connector is a built-in mechanism that allows you to connect branch routers and clouds to your GoodAccess virtual infrastructure easily and securely.

This approach is different from IP whitelisting, as using the Branch & Cloud Connector does not expose your static IP address to the internet.

How to connect a branch to GoodAccess

Below are guides on how to connect a branch router from three major appliance providers - Cisco, Fortinet, and MikroTik.

How to add a Cisco router

In your GoodAccess Control Panel, go to Clouds & Branches and click Add new.

Under Type, select Branch, and select the IPsec protocol. Then fill out the following information:

  • Encryption and Integrity - up to you
  • Diffie-Hellman Groups (both phases) - select 2 - modp1024

Your new branch should appear in the list of branches.

Select the Configuration Guide from the Edit Branch menu on the right to display all the details you will need to configure in your Cisco router. Keep this window open for later reference.

Now, navigate to your Cisco router configuration and under the VPN section, go to IPsec Profiles.

Here, fill out the following:

  • Profile name - up to you
  • Keying mode - select Auto
  • IKE Version - select IKEv2

Switch to Site-To-Site and fill out the fields as follows:

  • Connection name - up to you
  • IPsec Profile - select the profile you created for the VPN

Remote Endpoint - select Static IP and type in the IP address of your GoodAccess gateway

Below, fill out the Local Group Setup.

  • Local Identifier Type - select Local WAN IP
  • Local Identifier - type in your public IP address (it should be filled out automatically)
  • Local IP Type - select Subnet
  • IP Address - type the IP address of your network
  • Subnet Mask - type your subnet mask

Then, below, fill out the Remote Group Setup.

  • Remote Identifier Type - select Remote WAN IP
  • Remote Identifier - type the IP address of your GoodAccess gateway
  • Remote IP Type - select Subnet
  • IP Address - type the GoodAccess gateway subnet address

Subnet Mask - type “255.255.252.0”

Your Cisco router has been added to your GoodAccess infrastructure and is facilitating connection to your LAN resources. However, you still need to add the local resources via Systems. Click here to see how to do that.

Enabling dead peer detection

Optionally, if you want to enable dead peer detection (DPD), switch to the Advanced Setup tab in the Site-To-Site section of your router configuration and check DPD Enable.

Then, click on the red floppy disk icon at the top of your screen. This will take you to Configuration Management. Here, click Apply.

How to add a FortiGate router

In your GoodAccess Control Panel, go to Clouds & Branches and click Add new in the top-right corner of the screen.

Fill out the information in the same way as in the case of Cisco described above. Save the information as you will need it later.

Finish by clicking Add.

Your new branch should appear in the list in Clouds & Branches.

Click on the action button on the right and select Configuration guide to view the details of your branch. Keep this window open for later reference.

Now, navigate to your FortiGate configuration and under the Policy & Object section, go to Addresses. There, click on Create new and Address.

You now have to create two Addresses profiles - local and remote.

To set up your local profile, fill out the information as follows:

  • Type - select Subnet
  • IP/Netmask - type the address of FortiGate’s LAN subnet followed by the mask
  • Interface - this field is optional

To set up your remote profile, fill out the form as follows:

  • Type - select Subnet
  • IP/Netmask - type the address of your GoodAccess gateway subnet followed by the mask
  • Interface - this field is optional

Next, navigate to IPsec Tunnels under the VPN section and click Create New and then IPsec Tunnel.

Select Custom and click Next.

Here, you have to edit all the sections as indicated below.

In Network, click Edit and fill out the following:

  • Remote Gateway - select Static IP Address
  • IP Address - type the IP address of your GoodAccess gateway
  • Interface - select WAN (depending on your site)
  • NAT Traversal - this setting is optional
  • Deed Peer Detection - select On Demand
  • Configure the rest according to the screenshot below

In Authentication, click Edit and fill out the following:

  • Method - select Pre-shared Key
  • Pre-shared Key - type the password you set in GoodAccess

IKE - choose version 2

In Phase 1 Proposal, click Edit and enter the same settings as you configured in GoodAccess.

In Phase 2 Selectors, click Edit and fill out the following:

  • Local Address - select the local address profile you created earlier
  • Remote Address - select the remote address profile from earlier
  • Configure with the same settings you used in GoodAccess at the beginning

Next, you need to configure routing.

In the Network section, go to Static Routes and click Create new.

Fill out the fields as follows:

Destination - choose Subnet and enter your GoodAccess gateway subnet IP followed by mask

The next step is to define the policy.

Go to the Policy & Objectives section and then Firewall Policy. Here, click Create New and fill out the following:

  • Incoming Interface - select your IPsec tunnel
  • Outgoing Interface - select LAN (depending on your site)
  • Source - add your remote address profile from earlier
  • Destination -  add your local address profile from earlier
  • Schedule and Service - up to you
  • Action - select Accept
  • Inspection Mode - select Flow-based

Finally, you need to create the policy once more, with the following changes:

  • The values of Incoming and Outgoing Interfaces are switched
  • The values of Source and Destination are switched.

Your FortiGate router is now part of your virtual infrastructure. However, you still need to add the local resources via Systems. Click here to see how to do that.

How to add a MikroTik router

In your GoodAccess Control Panel, go to Clouds & Branches and add a new branch by clicking Add new.

Fill out the details as follows:

  • Name - choose a name (e.g. London Office)
  • Type - select Branch
  • Subnet - enter the private subnet of your branch LAN residing behind your MikroTik (e.g. 192.168.88.1/24)
  • Gateway - choose a gateway you want to connect to
  • Protocol - select IKEv2

Now you will receive all the details and files you will need to configure your MikroTik.

Keep this window open until you have connected your MikroTik to GoodAccess.

Important: For security reasons, you cannot redisplay the password after you have closed this window. If you lose your password, you can generate a new one. We strongly recommend that you save it in a secure password manager.

Next, upload the following files to MikroTik's Files:

  • Setup files (extract the archive before uploading) from previous. (Ca.crt, user-key.key, user-cert.crt)
  • Download and upload this script to MikroTik's Files.

When you have uploaded the scripts, open the Mikrotik Terminal and run the following command:

/import ga-setup-branch.rsc

Then fill out the details as follows:

  • Username - enter the VPN username (from earlier)
  • Password - enter the VPN password (from earlier)
  • Gateway address - enter the Hostname of your GoodAccess gateway (from earlier)
  • Gateway subnet - enter the GoodAccess gateway subnet (from earlier)
  • Your local network - enter the private subnet of the branch LAN behind the MikroTik
  • What is CA certificate name - enter the name of the CA Certificate file stored in your MikroTik files (from earlier)

If all goes well, you should get a message reading "Script file loaded and executed successfully.”

Check the connection in IP -> IPsec -> Policies and Active Peers.

You can also check the connection in the Configuration Guide window (earlier step) or via the Action button in Clouds & Branches.

Finally, you need to define your local resources in Systems to be able to access them. See this guide to see how to do that.

Related Posts

Dedicated IP Address vs Static IP Address: Are they the same?

Networking
Business VPN
5
m read /
Jun 16, 2022
/ by
Petr Pecha

How to Customize the GoodAccess Threat Blocker

Knowledgebase
Networking
Network Security
3
m read /
May 19, 2022
/ by
Petr Pecha

IPsec VPN Explained | How IPsec works | IPsec vs SSL

Business VPN
Knowledgebase
Remote Access
10
m read /
May 17, 2022
/ by
Lukas Dolnicek

SDP vs VPN: All You Need to Know

Business VPN
Networking
Network Security
9
m read /
Apr 28, 2022
/ by
Petr Pecha

VPN vs HTTPS: Do You Need a VPN When Most Online Traffic Is Encrypted?

Business VPN
Networking
Network Security
Hackers
8
m read /
Apr 14, 2022
/ by
Petr Pecha

How to Set up Secure Remote Access to Google Cloud

Business VPN
Networking
Home Office
Knowledgebase
4
m read /
Feb 22, 2022
/ by
Petr Pecha

How to Set up Secure Remote Access to Microsoft Azure

Business VPN
Networking
Home Office
Knowledgebase
4
m read /
Feb 21, 2022
/ by
Petr Pecha

How to Manage Access Control in GoodAccess

Knowledgebase
Business VPN
Home Office
Networking
4
m read /
Feb 15, 2022
/ by
Petr Pecha

How to Secure Remote Access to AWS

Business VPN
Networking
Home Office
Knowledgebase
6
m read /
Feb 3, 2022
/ by
Petr Pecha

Speed Up Login to GoodAccess With SSO

Knowledgebase
Networking
8
m read /
Jan 26, 2022
/ by
Petr Pecha

Improve Your Cloud VPN Security With MFA

Business VPN
Knowledgebase
7
m read /
Jan 25, 2022
/ by
Petr Pecha

Remote Access VPN vs. Site-to-Site VPN? Get the Benefits of Both

Business VPN
Networking
Remote Access
Knowledgebase
6
m read /
Dec 21, 2021
/ by
Lukas Dolnicek

Software Development: Top 5 VPN Use Cases to Implement Right Now

Remote Access
Network Security
Knowledgebase
10
m read /
Dec 1, 2021
/ by
Lukas Dolnicek

Usage and Differences between Static and Dynamic IP Address

Networking
Knowledgebase
5
m read /
Sep 20, 2021
/ by
Lukas Dolnicek
Go back
Back
Go back
Back
FEATURES
Cloud VPNZero Trust NetworkSoftware Defined PerimeterPricingCreate Free AccountHow Secure is GoodAccess35+ Gateways Worldwide
RESOURCES
Product TourSupport PortalDownload AppsBlogWhat is Business Cloud VPNVPN with Static IP ExplainedWhat is IP WhitelistingDNS Filtering ExplainedZero Trust Network Access
PARTNERS
Affiliate ProgramPartner Program
COMPANY
ContactReferencesNewsroomCareers
Facebook icon LinkedIn iconTwitter icon
GoodAccess Logo white
GoodAccess s.r.o. / Acceptable Usage Policy / Terms & Conditions / Privacy Policy

This website is using cookies for providing services, advertisement personalization, and visitors analytics purposes. By using this website you agree with using cookies.