You are here: Cookbook > VPN > Connection between Two Private Networks Using IPSec VPN

Connection between Two Private Networks Using IPSec VPN

This example tells how to create IPSec VPN tunnels to encrypt and protect the communication between two private networks . Usually, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters.

* Note: This topology uses laboratory environment. In this recipe, 10.10.1.0/24 represents public network.

Device A

Step 1: Configuring interface

1. Configuring the interface connected to private network

Select Network > Interface, and double click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 192.168.1.1
  • Netmask: 255.255.255.0

2. Configuring the interface connected to Internet

Select Network > Interface, and double click ethernet0/2.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 10.10.1.1
  • Netmask: 255.255.255.0
Step 2: Configuring security policies

1. Creating a policy to allow private network to visit Internet

Select Policy > Security Policy, and click New.

  • Name: trust_untrust
  • Source Information
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: untrust
    • Address: Any
  • Other Information
    • Action: Permit

2. Creating a security policy to allow Internet visit private network

Select Policy > Security Policy, and click New.

  • Name: untrust_trust
  • Source Information
    • Zone: untrust
    • Address: Any
  • Destination
    • Zone: trust
    • Address: Any
  • Other Information
    • Action: Permit
Step 3: Configuring IPSec VPN

1. Configuring P1 proposal for IKE SA

Select Network > VPN > IPSec VPN, under the P1 Proposal tab, click New.

  • Proposal Name: Headquarter_to_Branch_P1
  • Authentication: Pre-share
  • Hash: SHA
  • Encryption: 3DES

2. Configuring P2 proposal for IPSec SA

Select Network > VPN > IPSec VPN, under the P2 Proposal tab, click New.

  • Proposal Name: Headquarter_to_Branch_P2
  • Authentication: ESP
  • Hash: SHA
  • Encryption: 3DES

3. Configuring VPN peer

Select Network > VPN > IPSec VPN, under the VPN Peer List tab, click New.

  • Name: Headquarter_to_Branch
  • Interface: ethernet0/2
  • Mode: Main
  • Type: Static IP
  • Peer IP: 10.10.1.2
  • Proposal 1: Headquarter_to_Branch_P1
  • Pre-share Key: 123456

4. Configuring IKE VPN

Select Network > VPN > IPSec VPN, under the IKE VPN List tab, click New.

  • Peer Name: Headquarter_to_Branch
  • Tunnel Name: Tunnel
  • Mode: tunnel
  • P2 Proposal: Headquarter_to_Branch_P2
Step 4: Creating tunnel interface

Select Network > Interface, and click New > Tunnel Interface.

  • Basic
    • Name: 1
    • Zone: untrust
  • Tunnel Binding
    • Tunnel Type: IPSec VPN
    • VPN Name: Tunnel

 

Step 5: Configuring route

Select Network > Routing > Destination Routing, and click New.

  • Destination: 192.168.2.0
  • Subnet Mask: 24
  • Next Hop: Interface
  • Interface: tunnel1  

Device B

Step 1: Configuring interface

1. Configuring the interface connected to private network

Select Network > Interface, and double click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 192.168.2.1
  • Netmask: 255.255.255.0

2. Configuring the interface connected to Internet

Select Network > Interface, and double click ethernet0/2.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 10.10.1.2
  • Netmask: 255.255.255.0
Step 2: Configuring security policies

1. Creating a policy to allow private network to visit Internet

Select Policy > Security Policy, and click New.

  • Name: trust_untrust
  • Source Information
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: untrust
    • Address: Any
  • Other Information
    • Action: Permit

2. Creating a security policy to allow Internet visit private network

Select Policy > Security Policy, and click New.

  • Name: untrust_trust
  • Source Information
    • Zone: untrust
    • Address: Any
  • Destination
    • Zone: trust
    • Address: Any
  • Other Information
    • Action: Permit
Step 3: Configuring IPSec VPN

1. Configuring P1 proposal for IKE SA

Select Network > VPN > IPSec VPN, under the P1 Proposal tab, click New.

  • Proposal Name: Branch_to_Headquarter_P1
  • Authentication: Pre-share
  • Hash: SHA
  • Encryption: 3DES

2. Configuring P2 proposal for IPSec SA

Select Network > VPN > IPSec VPN, under the P2 Proposal tab, click New.

  • Proposal Name: Branch_to_Headquarter_P2
  • Authentication: ESP
  • Hash: SHA
  • Encryption: 3DES

3. Configuring VPN peer

Select Network > VPN > IPSec VPN, under the VPN Peer List tab, click New.

  • Name: Branch_to_Headquarter
  • Interface: ethernet0/2
  • Mode: Main
  • Type: Static IP
  • Peer IP: 10.10.1.2
  • Proposal 1:Branch_to_Headquarter_P1
  • Pre-share Key: 123456

4. Configuring IKE VPN

Select Network > VPN > IPSec VPN, under the IKE VPN List tab, click New.

  • Peer Name: Branch_to_Headquarter
  • Tunnel Name: Tunnel
  • Mode: tunnel
  • P2 Proposal: Branch_to_Headquarter_P2
Step 4: Creating tunnel interface

Select Network > Interface, and click New > Tunnel Interface.

  • Basic
    • Name: 1
    • Zone: untrust
  • Tunnel Binding
    • Tunnel Type: IPSec VPN
    • VPN Name: Tunnel

Step 5: Configuring route

Select Network > Routing > Destination Routing, and click New.

  • Destination: 192.168.1.0
  • Subnet Mask: 24
  • Next Hop: Interface
  • Interface: tunnel1  
Step 6: Results

Use PC1 in the headquarters to ping PC2 in the branch. It works.

Step 7: Check if IPSec VPN tunnel has been established

Go to Network > VPN > IPSec VPN, and click IPSec VPN Monitor on the top right corner, under the <ISAKMP SA> tab and under the IPSec SA tab, you will see the status of the tunnel.