Policy-based IPsec tunnel
This is an example of policy-based IPsec tunnel using site-to-site VPN between branch and HQ. HQ is the IPsec concentrator.
Sample topology
Sample configuration
To configure a policy-based IPsec tunnel using the GUI:
- Configure the IPsec VPN at HQ.
- Configure the IPsec concentrator at HQ.
- Configure the firewall policy at HQ.
- Configure IPsec VPN at branch 1.
- Configure the firewall policy at branch 1.
- Configure IPsec VPN at branch 2.
- Configure the firewall policy at branch 2.
To configure the IPsec VPN at HQ:
- Go to VPN > IPsec Wizard to set up branch 1.
- Enter a VPN Name. In this example, to_branch1.
- For Template Type, click Custom. Click Next.
- Uncheck Enable IPsec Interface Mode.
- For Remote Gateway, select Static IP Address.
- Enter IP address, in this example, 15.1.1.2.
- For Interface, select port9.
- In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
- Click OK.
- Go to VPN > IPsec Wizard to set up branch 2.
- Enter a VPN Name. In this example, to_branch2.
- For Template Type, click Custom. Click Next.
- Uncheck Enable IPsec Interface Mode.
- For Remote Gateway, select Static IP Address.
- Enter IP address, in this example, 13.1.1.2.
- For Interface, select port9.
- In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
- Click OK.
To configure the IPsec concentrator at HQ:
- Go to VPN > IPsec Concentrator and click Create New.
- Enter a name. In this example, branch.
- Add the Members to_branch1 and to_branch2.
- Click OK.
To configure the firewall policy at HQ:
- Go to Policy & Objects > Firewall Policy and click Create New.
- Enter a policy Name.
- For Incoming Interface, select port10.
- For Outgoing Interface, select port9.
- Select the Source, Destination, Schedule, Service, and set Action to IPsec.
- Select the VPN Tunnel, in this example, Branch1/Branch2.
- In this example, enable Allow traffic to be initiated from the remote site.
- Click OK.
To configure IPsec VPN at branch 1:
- Go to VPN > IPsec Wizard to set up branch 1.
- Enter a VPN name. In this example, to_HQ.
- For Template Type, click Custom. Click Next.
- Uncheck Enable IPsec Interface Mode.
- For Remote Gateway, select Static IP Address.
- Enter IP address, in this example, 22.1.1.1.
- For Interface, select wan1.
- In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
- Click OK.
To configure the firewall policy at branch 1:
- Go to Policy & Objects > Firewall Policy and click Create New.
- Enter a policy Name.
- Choose the Incoming Interface, in this example, internal.
- Choose the Outgoing Interface, in this example, wan1.
- Select the Source, Destination, Schedule, Service, and set Action to IPsec.
- Select the VPN Tunnel, in this example, Branch1/Branch2.
- In this example, enable Allow traffic to be initiated from the remote site.
- Click OK.
To configure IPsec VPN at branch 2:
- Go to VPN > IPsec Wizard to set up branch 1.
- Enter a VPN name. In this example, to_HQ.
- For Template Type, click Custom. Click Next.
- Uncheck Enable IPsec Interface Mode.
- For Remote Gateway, select Static IP Address.
- Enter IP address, in this example, 22.1.1.1.
- For Interface, select wan1.
- In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
- Click OK.
To configure the firewall policy at branch 2:
- Go to Policy & Objects > Firewall Policy and click Create New.
- Enter a policy Name.
- Choose the Incoming Interface, in this example, internal.
- Choose the Outgoing Interface, in this example, wan1.
- Select the Source, Destination, Schedule, Service, and set Action to IPsec.
- Select the VPN Tunnel, in this example, to_HQ.
- In this example, enable Allow traffic to be initiated from the remote site.
- Click OK.
To configure a policy-based IPsec tunnel using the CLI:
- Configure the HQ WAN interface and static route.
config system interface edit "port9" set alias "WAN" set ip 22.1.1.1 255.255.255.0 next edit "port10" set alias "Internal" set ip 172.16.101.1 255.255.255.0 next end config router static edit 1 set gateway 22.1.1.2 set device "port9" next end
- Configure the HQ IPsec phase1 and phase2.
config vpn ipsec phase1 edit "to_branch1" set interface "port9" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample next edit "to_branch2" set interface "port9" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample next end config vpn ipsec phase2 edit "to_branch1" set phase1name "to_branch1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next edit "to_branch2" set phase1name "to_branch2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
- Configure the firewall policy at HQ.
config firewall policy edit 1 set srcintf "port10" set dstintf "port9" set srcaddr "all" set dstaddr "10.1.100.0" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "to_branch1" next edit 2 set srcintf "port10" set dstintf "port9" set srcaddr "all" set dstaddr "192.168.4.0" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "to_branch2" next end
- Configure the IPsec concentrator at HQ.
config vpn ipsec concentrator edit "branch" set member "to_branch1" "to_branch2" next end
- Configure the branch WAN interface and static route.
- For branch 1.
config system interface edit "wan1" set alias "primary_WAN" set ip 15.1.1.2 255.255.255.0 next edit "internal" set ip 10.1.100.1 255.255.255.0 next end config router static edit 1 set gateway 15.1.1.1 set device "wan1" next end
- For branch 2.
config system interface edit "wan1" set alias "primary_WAN" set ip 13.1.1.2 255.255.255.0 next edit "internal" set ip 192.168.4.1 255.255.255.0 next end config router static edit 1 set gateway 13.1.1.1 set device "wan1" next end
- For branch 1.
- Configure the branch IPsec phase1 and phase2.
- For branch 1.
config vpn ipsec phase1 edit "to_HQ" set interface "wan1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample next end config vpn ipsec phase2 edit "to_HQ" set phase1name "to_HQ" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
- For branch 2.
config vpn ipsec phase1 edit "to_HQ" set interface "wan1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample next end config vpn ipsec phase2 edit "to_HQ" set phase1name "to_HQ" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
- For branch 1.
- Configure the branch firewall policy.
- For branch 1.
config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set srcaddr "10.1.100.0" set dstaddr "all" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "to_HQ" next end
- For branch 2.
config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set srcaddr "192.168.4.0" set dstaddr "all" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "to_HQ" next end
- For branch 1.
To view the IPsec VPN tunnel list at HQ:
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0 ---- name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0 tun_id=15.1.1.2 bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0 life: type=01 bytes=0/0 timeout=42932/43200 dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5 dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354 npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2 ---- name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0 tun_id=13.1.1.2 bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42931/43200 dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0
To view the IPsec VPN concentrator at HQ:
# diagnose vpn concentrator list
list all ipsec concentrator in vd 0 name=branch ref=3 tuns=2 flags=0