-
Site to Site VPN using GUI
Item Data
USG_A (1) Interface number: GigabitEthernet 0/0/1
IP address: 10.1.1.1/24
Zone: Trust
(2) Interface number: GigabitEthernet 0/0/2
IP address: 200.1.1.1/24
Zone: Untrust
IPSec configuration IKE version: V1 and V2
IKE negotiation mode: main mode
Local ID type of IKE: IP
IKE pre-shared key: abcde
IKE peer address: fixed IP address, 200.10.1.1
IPSec encapsulation mode: Tunnel mode
IPSec security protocol: ESP
USG_B (3) Interface number: GigabitEthernet 0/0/2
IP address: 200.10.1.1/24
Zone: Untrust
(4) Interface number: GigabitEthernet 0/0/1
-
Item Data
IP address: 192.168.1.1/24
Zone: Trust
IPSec configuration IKE version: V1 and V2
IKE negotiation mode: main mode
Local ID type of IKE: IP
IKE pre-shared key: abcde
IKE peer address: fixed IP address, 200.1.1.1
IPSec encapsulation mode: Tunnel mode
IPSec security protocol: ESP
Configure USG_A.
Step#1
1. Configure the basic parameters of the interfaces. a. Choose
Network > Interface > Interface.
b. In Interface List, click of GE0/0/1. c. On the Modify
GigabitEthernet Interface page, configure the following
parameters:
Zone: trust IP Address: 10.1.1.1 Subnet Mask: 255.255.255.0
Other parameters are set to the default values.
d. Click Apply.
e. In Interface List, click of GE0/0/2. f. On the Modify
GigabitEthernet Interface page, configure the following
parameters:
Zone: untrust IP Address: 200.1.1.1 Subnet Mask:
255.255.255.0
Other parameters are set to the default values.
g. Click Apply.
Step#2
For the USG, configure interzone packet filtering to ensure
normal network communication. For the USG BSR/HSR, this
operation is not required.
a. Configure the security policy between the Local zone and the
Untrust zone. 1. Choose Firewall > Security Policy > Local
Policy.
-
2. In Local Policy, click Add to configure the following
parameters:
Source Zone: untrust Source Address: 200.10.1.0/24 Action:
permit
3. Click Apply. b. Configure the security policy between the
Trust zone and the Untrust zone.
1. Choose Firewall > Security Policy > Forward Policy. 2.
In Forward Policy List, click Add to configure the following
parameters:
Source Zone: trust Destination Zone: untrust Source Address:
10.1.1.0/24 Destination Address: 192.168.1.0/24 Action: permit
3. Click Apply. 4. Choose Firewall > Security Policy >
Forward Policy. 5. In Forward Policy List, click Add to configure
the following parameters:
Source Zone: untrust Destination Zone: trust Source Address:
192.168.1.0/24 Destination Address: 10.1.1.0/24 Action: permit
6. Click Apply.
Step#3
Configure a static route from USG_A to network B, with the
next-hop IP address of 200.1.1.2.
a. Choose Route > Static > Static Route. b. In Static
Route List, click Add. c. On the Add Static Route page, configure
the following parameters:
o Destination Address: 192.168.1.0 o Mask: 255.255.255.0 o Next
Hop: 200.1.1.2
Other parameters are set to the default values.
d. Click Apply.
Step#4
Configure IKE phase 1 and IKE phase 2.
a. Choose VPN > IPSec > IKE Negotiation. b. Click Phase 1.
c. Set IKE phase 1 parameters on the Add Phase 1 page, as shown in
Figure 10-12. Among the parameters, Pre-Shared
Key is set to abcde.
-
Figure 10-12 Configuring IKE phase 1 of USG_A
d. Click Apply.
e. Click of ike_a to create IKE phase 2. f. Configure IKE phase
2 parameters on the Add Phase 2 page, as shown in Figure 10-13.
Figure 10-13 Configuring IKE phase 2 of USG_A
g. Click Apply.
Step#5
Apply the IPSec policy.
a. Choose VPN > IPSec > IPSec Policy. b. Click Add. c. On
the Add IPSec Policy page, configure the data flows to be protected
by the IPSec tunnel, as shown in Figure 10-14.
-
Figure 10-14 Configuring on USG_A the data flows to be
protected
d. Click Apply.
Step#6
Bind the IPSec policy to interfaces.
a. Choose VPN > IPSec > IPSec Policy. b. Click Applied to
interface: - NONE - of policy1. c. Select GE0/0/2 from the
drop-down list. d. Click Apply.
Configure USG_B.
Step#1
1. Configure the basic parameters of the interfaces. a. Choose
Network > Interface > Interface.
b. In Interface List, click of GE0/0/1.
c. In Interface List, click of GE0/0/1. d. On the Modify
GigabitEthernet Interface page, configure the following
parameters:
Zone: trust IP Address: 192.168.1.1 Subnet Mask:
255.255.255.0
Other parameters are set to the default values.
e. Click Apply.
f. In Interface List, click of GE0/0/2. g. On the Modify
GigabitEthernet Interface page, configure the following
parameters:
Zone: untrust IP Address: 200.10.1.1 Subnet Mask:
255.255.255.0
Other parameters are set to the default values.
h. Click Apply.
-
Step#2
2. For the USG, configure interzone packet filtering to ensure
normal network communication. For the USG BSR/HSR, this operation
is not required.
a. Configure the security policy between the Local zone and the
Untrust zone. 1. Choose Firewall > Security Policy > Local
Policy. 2. In Local Policy, click Add to configure the following
parameters:
Source Zone: untrust Source Address: 200.1.1.0/24 Action:
permit
3. Click Apply. b. Configure the security policy between the
Trust zone and the Untrust zone.
0. Choose Firewall > Security Policy > Forward Policy. 1.
In Forward Policy List, click Add to configure the following
parameters:
Source Zone: trust Destination Zone: untrust Source Address:
192.168.1.0/24 Destination Address: 10.1.1.0/24 Action: permit
2. Click Apply. 3. Choose Firewall > Security Policy >
Forward Policy. 4. In Forward Policy List, click Add to configure
the following parameters:
Source Zone: untrust Destination Zone: trust Source Address:
10.1.1.0/24 Destination Address: 192.168.1.0/24 Action: permit
5. Click Apply.
Step#3
3. configure a static route from USG_B to network A, with the
next-hop IP address of 200.10.1.2. a. Choose Route > Static >
Static Route. b. In Static Route List, click Add. c. On the Add
Static Route page, configure the following parameters:
Destination Address: 10.1.1.0 Mask: 255.255.255.0 Next Hop:
200.10.1.2
Other parameters are set to the default values.
d. Click Apply.
Step#4
4. Configure IKE phase 1 and IKE phase 2. a. Choose VPN >
IPSec > IKE Negotiation. b. Click Phase 1. c. Configure IKE
phase 1 parameters on the Add Phase 1 page, as shown in Figure
10-15. Among the
parameters, Pre-Shared Key is set to abcde.
-
Figure 10-15 Configuring IKE phase 1 of USG_B
d. Click Apply.
e. Click of ike_b to create IKE phase 2. f. Configure IKE phase
2 parameters on the Add Phase 2 page, as shown in Figure 10-16.
Figure 10-16 Configuring IKE phase 2 of USG_B
g. Click Apply.
Step#5
5. Apply the IPSec policy. a. Choose VPN > IPSec > IPSec
Policy. b. Click Add. c. Figure 10-17. On the Add IPSec Policy
page, configure the data flows to be protected by the IPSec tunnel,
as
shown in Figure 10-17.
-
Figure 10-17 Configuring on USG_B the data flows to be
protected
d. Click Apply.
Step#6
6. Bind the IPSec policy to interfaces. a. Choose VPN > IPSec
> IPSec Policy. b. Click Applied to interface: - NONE - of
policy1. c. Select GE0/0/2 from the drop-down list. d. Click
Apply.
Configuration Verification
1. After the configuration is complete, ping an IP address of
network B from network A. The IP address can be pinged through
successfully.
2. Check the establishment of a security association (SA) on
USG_A and USG_B. For example, on USG_A, if the following
information is displayed, an IPSec tunnel is
established successfully.
a. Choose VPN > IPSec > Monitor. b. In IPSec Traffic
Statistics, click Refresh to view traffic statistics of all
IPSec
tunnels, as shown in Figure 10-18.
Figure 10-18 Viewing IPSec traffic statistics on USG_A
c. In SA Monitoring, select IKE SA List and click Refresh to
view information about the established IKE SA, as shown in Figure
10-19.
-
Figure 10-19 Viewing information about IKE SA on USG_A
d. In SA Monitoring, select IPSec SA List and click Refresh to
view information about the established IPSec SA, as shown in Figure
10-20.
Figure 10-20 Viewing information about IPSec SA on USG_A
-
Site to Site VPN Using Cli
Item Data
USG_A (1) Interface: GigabitEthernet 0/0/1
IP address: 10.1.1.1/24
(2) Interface: GigabitEthernet 0/0/2
IP address: 202.38.163.1/24
IPSec configuration Encapsulation mode: tunnel mode
Security protocol: ESP
ESP authentication algorithm: SHA1
ESP encryption algorithm: AES
IKE negotiation mode: main mode
IKE pre-shared key: abcde
IKE authentication type: IP
IKE peer address: 202.38.169.1
IKE version: IKEv2
USG_B (3) Interface: GigabitEthernet 0/0/2
IP address: 202.38.169.1/24
(4) Interface: GigabitEthernet 0/0/1
IP address: 10.1.2.1/24
IPSec configuration Encapsulation mode: tunnel mode
Security protocol: ESP
-
Item Data
ESP authentication algorithm: SHA1
ESP encryption algorithm: AES
IKE negotiation mode: main mode
IKE pre-shared key: abcde
IKE authentication type: IP
IKE peer address: 202.38.163.1
IKE version: IKEv2
Step#1
For the USG, add interfaces to corresponding security zones and
configure interzone packet filtering to ensure normal network
communication. Details are omitted. For the USG BSR/HSR, these
operations are not required.
Step#2
Set the IP addresses of interfaces as shown in Figure 10-5 and
the table that follows. Details are omitted.
Step#3
Create an advanced ACL on USG_A and USG_B to define the data
flow to be protected.
# Create an ACL on USG_A to permit the traffic destined from
10.1.1.0/24 to 10.1.2.0/24.
[USG_A] acl 3000
[USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255
destination 10.1.2.0
0.0.0.255
[USG_A-acl-adv-3000] quit
# Create an ACL on USG_B to permit the traffic destined from
10.1.2.0/24 to 10.1.1.0/24.
[USG_B] acl 3000
[USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255
destination 10.1.1.0
0.0.0.255
[USG_B-acl-adv-3000] quit
Step#4
Create a static route on USG_A and USG_B.
# Create on USG_A a static route to Network B, and set the next
hop to 202.38.163.2
[USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2
# Create on USG_B a static route to Network A, and set the next
hop to 202.38.169.2
[USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2
-
Step#5
Configure an IPSec proposal on USG_A and USG_B.
# Configure an IPSec proposal on USG_A.
[USG_A] ipsec proposal tran1
[USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel
# By default, the encapsulation mode is tunnel mode. If you use
the default mode, skip the command for configuring the
encapsulation mode. [USG_A-ipsec-proposal-tran1] transform
esp
[USG_A-ipsec-proposal-tran1] esp authentication-algorithm
sha1
[USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_A-ipsec-proposal-tran1] quit
# By default, the security protocol is ESP, the ESP
authentication algorithm is SHA1, and the ESP encryption algorithm
is AES.
If you use the default settings, skip the commands for
configuring the security protocol, authentication algorithm, and
encryption
algorithm.
# Configure an IPSec proposal on USG_B.
[USG_B] ipsec proposal tran1
[USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel
# By default, the encapsulation mode is tunnel mode. If you use
the default mode, skip the command for configuring the
encapsulation mode. [USG_B-ipsec-proposal-tran1] transform
esp
[USG_B-ipsec-proposal-tran1] esp authentication-algorithm
sha1
[USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_B-ipsec-proposal-tran1] quit
# By default, the security protocol is ESP, the ESP
authentication algorithm is SHA1, and the ESP encryption algorithm
is AES.
If you use the default settings, skip the commands for
configuring the security protocol, authentication algorithm, and
encryption
algorithm.
Step#6
Configure an IKE proposal on USG_A and USG_B.
# Configure an IKE proposal on USG_A.
[USG_A] ike proposal 10
[USG_A-ike-proposal-10] authentication-method pre-share
# The default IKE authentication method is pre-shared key
authentication. If you choose to use the default IKE
authentication
method, skip the command for specifying the authentication
method. [USG_A-ike-proposal-10] authentication-algorithm sha1
# The default IKE authentication algorithm is SHA1. If you
choose to use the default authentication algorithm, skip the
command
for specifying the authentication algorithm.
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
# The default IKE integrity algorithm is HMAC-SHA1-96. If you
choose to use the default integrity algorithm, skip the
command for specifying the integrity algorithm.
[USG_A-ike-proposal-10] quit
# Configure an IKE proposal on USG_B. [USG_B] ike proposal
10
[USG_B-ike-proposal-10] authentication-method pre-share
# The default IKE authentication method is pre-shared key
authentication. If you choose to use the default IKE
authentication
method, skip the command for specifying the authentication
method. [USG_B-ike-proposal-10] authentication-algorithm sha1
# The default IKE authentication algorithm is SHA1. If you
choose to use the default authentication algorithm, skip the
command
for specifying the authentication algorithm.
[USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96
-
# The default IKE integrity algorithm is HMAC-SHA1-96. If you
choose to use the default integrity algorithm, skip the
command for specifying the integrity algorithm.
[USG_B-ike-proposal-10] quit
Sep#7
Configure the IKE peer.
By default, IKE peers use IKEv2.
# Configure the IKE peer on USG_A. [USG_A] ike peer b
[USG_A-ike-peer-b] ike-proposal 10
[USG_A-ike-peer-b] remote-address 202.38.169.1
[USG_A-ike-peer-b] pre-shared-key abcde
[USG_A-ike-peer-b] quit
# Configure the IKE peer on USG_B. [USG_B] ike peer a
[USG_B-ike-peer-a] ike-proposal 10
[USG_B-ike-peer-a] remote-address 202.38.163.1
[USG_B-ike-peer-a] pre-shared-key abcde
[USG_B-ike-peer-a] quit
Step#8
Create an IPSec policy on USG_A and USG_B.
# Create an IPSec policy on USG_A.
[USG_A] ipsec policy map1 10 isakmp
[USG_A-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_A-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_A-ipsec-policy-isakmp-map1-10] ike-peer b
[USG_A-ipsec-policy-manual-map1-10] quit
# Create an IPSec policy on USG_B.
[USG_B] ipsec policy map1 10 isakmp
[USG_B-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_B-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_B-ipsec-policy-isakmp-map1-10] ike-peer a
[USG_B-ipsec-policy-isakmp-map1-10] quit
Step#9
Apply the IPSec policies.
# On USG_A, apply the IPSec policy on interface (2).
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map1
# On USG_B, apply the IPSec policy on interface (3).
[USG_B] interface GigabitEthernet 0/0/2
-
[USG_B-GigabitEthernet0/0/2] ipsec policy map1
Configuration Verification
If the configurations are correct, Network A can ping network B,
and after you run the display ike sa and display ipsec sa
commands on USG_A and USG_B, the output indicates that the data
is encrypted. Take USG_B as an example. If the following
information is displayed, the IKE SA and IPSec SA are
successfully established.