How to Use the Branch Connector in GoodAccess

An earlier article described the software defined perimeter and how GoodAccess implements it via the Branch and Cloud Connector. This guide will show you how to work with the Branch Connector and how to successfully establish connections between your branches and virtual network.

Table of contents

1. What is the Branch Connector?
2. How to connect a branch to GoodAccess
3. How to add a Cisco router
4. Enabling dead peer detection
5. How to add a FortiGate router
6. How to add a MikroTik router

What is the Branch Connector?

The Branch & Cloud Connector is a built-in mechanism that allows you to connect branch routers and clouds to your GoodAccess virtual infrastructure easily and securely.

This approach is different from IP whitelisting, as using the Branch & Cloud Connector does not expose your static IP address to the internet.

How to connect a branch to GoodAccess

Below are guides on how to connect a branch router from three major appliance providers - Cisco, Fortinet, and MikroTik.

How to add a Cisco router

In your GoodAccess Control Panel, go to Clouds & Branches and click Add new.

‍

‍

Under Type, select Branch, and select the IPsec protocol. Then fill out the following information:

• Encryption and Integrity - up to you
• Diffie-Hellman Groups (both phases) - select 2 - modp1024

‍

‍

Your new branch should appear in the list of branches.

‍

‍

Select the Configuration Guide from the Edit Branch menu on the right to display all the details you will need to configure in your Cisco router. Keep this window open for later reference.

‍

‍

Now, navigate to your Cisco router configuration and under the VPN section, go to IPsec Profiles.

Here, fill out the following:

• Profile name - up to you
• Keying mode - select Auto
• IKE Version - select IKEv2

‍

‍

Switch to Site-To-Site and fill out the fields as follows:

• Connection name - up to you
• IPsec Profile - select the profile you created for the VPN

Remote Endpoint - select Static IP and type in the IP address of your GoodAccess gateway

‍

‍

Below, fill out the Local Group Setup.

• Local Identifier Type - select Local WAN IP
• Local Identifier - type in your public IP address (it should be filled out automatically)
• Local IP Type - select Subnet
• IP Address - type the IP address of your network
• Subnet Mask - type your subnet mask

Then, below, fill out the Remote Group Setup.

• Remote Identifier Type - select Remote WAN IP
• Remote Identifier - type the IP address of your GoodAccess gateway
• Remote IP Type - select Subnet
• IP Address - type the GoodAccess gateway subnet address

Subnet Mask - type “255.255.252.0”

‍

‍

Your Cisco router has been added to your GoodAccess infrastructure and is facilitating connection to your LAN resources. However, you still need to add the local resources via Systems. Click here to see how to do that.

Enabling dead peer detection

Optionally, if you want to enable dead peer detection (DPD), switch to the Advanced Setup tab in the Site-To-Site section of your router configuration and check DPD Enable.

‍

‍

Then, click on the red floppy disk icon at the top of your screen. This will take you to Configuration Management. Here, click Apply.

How to add a FortiGate router

In your GoodAccess Control Panel, go to Clouds & Branches and click Add new in the top-right corner of the screen.

‍

‍

Fill out the information in the same way as in the case of Cisco described above. Save the information as you will need it later.

Finish by clicking Add.

‍

‍

Your new branch should appear in the list in Clouds & Branches.

‍

‍

Click on the action button on the right and select Configuration guide to view the details of your branch. Keep this window open for later reference.

‍

‍

Now, navigate to your FortiGate configuration and under the Policy & Object section, go to Addresses. There, click on Create new and Address.

‍

‍

You now have to create two Addresses profiles - local and remote.

To set up your local profile, fill out the information as follows:

• Type - select Subnet
• IP/Netmask - type the address of FortiGate’s LAN subnet followed by the mask
• Interface - this field is optional

‍

‍

To set up your remote profile, fill out the form as follows:

• Type - select Subnet
• IP/Netmask - type the address of your GoodAccess gateway subnet followed by the mask
• Interface - this field is optional

‍

‍

Next, navigate to IPsec Tunnels under the VPN section and click Create New and then IPsec Tunnel.

‍

‍

Select Custom and click Next.

‍

‍

Here, you have to edit all the sections as indicated below.

‍

‍

In Network, click Edit and fill out the following:

• Remote Gateway - select Static IP Address
• IP Address - type the IP address of your GoodAccess gateway
• Interface - select WAN (depending on your site)
• NAT Traversal - this setting is optional
• Deed Peer Detection - select On Demand
• Configure the rest according to the screenshot below

‍

‍

In Authentication, click Edit and fill out the following:

• Method - select Pre-shared Key
• Pre-shared Key - type the password you set in GoodAccess

IKE - choose version 2

‍

‍

In Phase 1 Proposal, click Edit and enter the same settings as you configured in GoodAccess.

‍

‍

In Phase 2 Selectors, click Edit and fill out the following:

• Local Address - select the local address profile you created earlier
• Remote Address - select the remote address profile from earlier
• Configure with the same settings you used in GoodAccess at the beginning

‍

‍

Next, you need to configure routing.

In the Network section, go to Static Routes and click Create new.

‍

‍

Fill out the fields as follows:

Destination - choose Subnet and enter your GoodAccess gateway subnet IP followed by mask

‍

‍

The next step is to define the policy.

Go to the Policy & Objectives section and then Firewall Policy. Here, click Create New and fill out the following:

• Incoming Interface - select your IPsec tunnel
• Outgoing Interface - select LAN (depending on your site)
• Source - add your remote address profile from earlier
• Destination -  add your local address profile from earlier
• Schedule and Service - up to you
• Action - select Accept
• Inspection Mode - select Flow-based

‍

‍

Finally, you need to create the policy once more, with the following changes:

• The values of Incoming and Outgoing Interfaces are switched
• The values of Source and Destination are switched.

Your FortiGate router is now part of your virtual infrastructure. However, you still need to add the local resources via Systems. Click here to see how to do that.

How to add a MikroTik router

In your GoodAccess Control Panel, go to Clouds & Branches and add a new branch by clicking Add new.

‍

‍

Fill out the details as follows:

• Name - choose a name (e.g. London Office)
• Type - select Branch
• Subnet - enter the private subnet of your branch LAN residing behind your MikroTik (e.g. 192.168.88.1/24)
• Gateway - choose a gateway you want to connect to
• Protocol - select IKEv2

‍

‍

Now you will receive all the details and files you will need to configure your MikroTik.

Keep this window open until you have connected your MikroTik to GoodAccess.

Important: For security reasons, you cannot redisplay the password after you have closed this window. If you lose your password, you can generate a new one. We strongly recommend that you save it in a secure password manager.

‍

‍

Next, upload the following files to MikroTik's Files:

When you have uploaded the scripts, open the Mikrotik Terminal and run the following command:

‍

‍

Then fill out the details as follows:

• Username - enter the VPN username (from earlier)
• Password - enter the VPN password (from earlier)
• Gateway address - enter the Hostname of your GoodAccess gateway (from earlier)
• Gateway subnet - enter the GoodAccess gateway subnet (from earlier)
• Your local network - enter the private subnet of the branch LAN behind the MikroTik
• What is CA certificate name - enter the name of the CA Certificate file stored in your MikroTik files (from earlier)

If all goes well, you should get a message reading "Script file loaded and executed successfully.”

Check the connection in IP -> IPsec -> Policies and Active Peers.

You can also check the connection in the Configuration Guide window (earlier step) or via the Action button in Clouds & Branches.

‍

‍

Finally, you need to define your local resources in Systems to be able to access them. See this guide to see how to do that.