The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
The IKE Phase 2 parameters used in Scenario 1 are:
All commands are given in the web-based UI under ScreenOS version 3. In this document, "Foo->Bar" indicates that you select the "Foo" button on the left side of the window, and in the resulting screen, select the "Bar" tab from the form in the right side of the window.
Define the addresses for the network behind Gateway A. In
Address->Trusted, select the New Address link. In the form:
- enter "LAN A" for the address name
- enter "10.5.6.0" for the IP address
- enter "255.255.255.0" for the netmask
- select "Trust" for the location
Define the addresses for the network behind Gateway B. In
Address->Untrusted, select the New Address link. In the form:
- enter "LAN B" for the address name
- enter "172.23.9.0" for the IP address
- enter "255.255.255.0" for the netmask
- select "Untrust" for the location
Specify Phase 1 for Gateway B. In VPN->Gateway(P1), select the New
Remote Tunnel Gateway link. In the form:
- enter "Gateway B Phase 1" for the gateway name
- select Static IP address for the address type
- enter "22.23.24.25" for the IP address
- choose "Main (ID protection)" for the Mode (Initiator)
- select "pre-g2-3des-sha" for the first Phase 1 proposal
- leave the other Phase 1 proposals set to "none"
- enter "hr5xb84l6aa9r6" for the preshared key
Specify Phase 2 for Gateway B. In VPN->AutoKey(P2), select the
New AutoKey IKE Entry link. In the form:
- enter "Gateway B Phase 2" for the gateway name
- select "Gateway B Phase 1" for the remote gateway tunnel
- select "g2-esp-3des-sha" for the Phase 2 proposal
- leave the other Phase 2 proposal set to "none"
Create a new pair of policies to link the two LANs. In Policy->
Outgoing, select the New Policy link. In the form:
- enter "LAN B Policy" for the name
- select "LAN A" for the source address
- select "LAN B" for the destination address
- select "ANY" for the service
- choose "Off" for NAT
- select "Tunnel" for the action
- select "Gateway B Phase 2" for the VPN tunnel
- check "Modify matching incoming VPN policy" to create the
policy in both directions
These new policies must be above other non-VPN policies (such as the default outgoing policy) in the policy lists. In Policy->Outgoing, click on the double-arrow icon in the first column under Configure for the policy you just created (it will have an icon of a lock with two arrows on it in the Action column). In the dialog box, specify the position for this policy, namely above the policy for "Inside Any" to "Outside Any". If you had any non-VPN policies in Policy->Incoming, you will have to move the new VPN policy above them as well.
To view the IPsec connections made, look at the entries in Log->Event Log. To debug connections, telnet to the system's command line interface (CLI) and give the "debug ike detail" command during IKE negotiations.