Policy-based IPsec tunnel

This is an example of policy-based IPsec tunnel using site-to-site VPN between branch and HQ. HQ is the IPsec concentrator.

Sample topology

Sample configuration

To configure a policy-based IPsec tunnel using the GUI:

To configure the IPsec VPN at HQ:
  1. Go to VPN > IPsec Wizard to set up branch 1.
    1. Enter a VPN Name. In this example, to_branch1.
    2. For Template Type, click Custom. Click Next.
    3. Uncheck Enable IPsec Interface Mode.
    4. For Remote Gateway, select Static IP Address.
    5. Enter IP address, in this example, 15.1.1.2.
    6. For Interface, select port9.
    7. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
    8. Click OK.
  2. Go to VPN > IPsec Wizard to set up branch 2.
    1. Enter a VPN Name. In this example, to_branch2.
    2. For Template Type, click Custom. Click Next.
    3. Uncheck Enable IPsec Interface Mode.
    4. For Remote Gateway, select Static IP Address.
    5. Enter IP address, in this example, 13.1.1.2.
    6. For Interface, select port9.
    7. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
    8. Click OK.
To configure the IPsec concentrator at HQ:
  1. Go to VPN > IPsec Concentrator and click Create New.
  2. Enter a name. In this example, branch.
  3. Add the Members to_branch1 and to_branch2.
  4. Click OK.
To configure the firewall policy at HQ:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. For Incoming Interface, select port10.
  4. For Outgoing Interface, select port9.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, Branch1/Branch2.