Creating the branch side of the IPsec VPN
The IPsec VPN configuration is similar to a normal site-to-site VPN configuration. Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel.
- Create two Phase 1 configurations, one for each data center. These configurations include:
- Setting
peertype
toany
- Setting
remote-gw
to the IP address of the data center.
config vpn ipsec phase1-interface
edit "vpn_dc1-1"
set interface "vlan-3000"
set peertype any
set proposal aes256-sha256
set dhgrp 5
set remote-gw 172.20.10.10
set psksecret <password>
next
edit "vpn_dc1-2"
set interface "vlan-3001"
set peertype any
set proposal aes256-sha256
set dhgrp 5
set remote-gw 172.20.11.10
set psksecret <password>
next
end
- Setting
- Create two Phase 2 configurations, one for each data center. These configurations include:
- Disabling
pfs
andreplay
- Enabling
auto-negotiate
to ensure VPN establishment
config vpn ipsec phase2-interface
edit "vpn_dc1-1_p2"
set phase1name "vpn_dc1-1"
set proposal aes256-sha256
set pfs disable
set replay disable
set auto-negotiate enable
next
edit "vpn_dc1-2_p2"
set phase1name "vpn_dc1-2"
set proposal aes256-sha256
set pfs disable
set replay disable
set auto-negotiate enable
next
end
- Disabling