Within this article we will show the necessary steps required to build a site to site IPSEC VPN.
The following example consists of the following encryption domain:
| Local | Remote | |
| Peer | 2.2.2.2 | 1.1.1.1 |
| Endpoint | 192.168.3.0/24 | 172.16.0.0/16 |
Table of Contents
NAT
First of all 2 NAT rules are configured to ensure the traffic is not NAT`d.
set nat source rule 10 destination address ‘172.16.0.0/16’
set nat source rule 10 source address ‘192.168.3.0/24’
set nat source rule 10 outbound-interface ‘eth3’
set nat source rule 10 ‘exclude’
set nat source rule 20 source address ‘172.16.0.0/16’
set nat source rule 20 destination address ‘192.168.3.0/24’
set nat source rule 20 outbound-interface ‘eth3’
set nat source rule 20 ‘exclude’
Phase1/2 Policies
Next the Phase 1 and 2 policies are defined. It is worth noting that even if you do not specify PFS within your Phase 2 policy, PFS is still set by default.
set vpn ipsec ike-group IKE-POLICY lifetime ‘86400’
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-POLICY proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group ‘2’
set vpn ipsec esp-group ESP-POLICY lifetime ‘3600’
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-POLICY proposal 1 hash ‘sha1’
Configure VPN
Next, the VPN is configured, i.e the previous policies are assigned, the shared secret is defined and the Proxy ID`s are set.
Note : If the remote peer has a dynamic IP address then change the peer IP to 0.0.0.0.
set vpn ipsec ipsec-interfaces interface ‘eth3’
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ‘abc123’
set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group ‘ESP-POLICY’
set vpn ipsec site-to-site peer 1.1.1.1 ike-group ‘IKE-POLICY’
set vpn ipsec site-to-site peer 1.1.1.1 local-address ‘2.2.2.2’
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix ‘192.168.3.0/24’
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix ‘172.16.0.0/16’
Firewall Rules
Finally the firewall rules are configured to ensure that only traffic between either endpoint is permitted.
set firewall name INSIDE rule 10 action ‘accept’
set firewall name INSIDE rule 10 destination address ‘172.16.0.0/16’
set firewall name INSIDE rule 10 source address ‘192.168.3.0/24’
set firewall name INSIDE rule 20 action ‘drop’
set firewall name OUTSIDE rule 10 action ‘accept’
set firewall name OUTSIDE rule 10 ipsec ‘match-ipsec’
set firewall name OUTSIDE rule 20 action ‘drop’
set interfaces ethernet eth1 firewall in name ‘INSIDE’
set interfaces ethernet eth3 firewall in name ‘OUTSIDE’
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial