The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
The IKE Phase 2 parameters used in Scenario 1 are:
All commands are given in the web-based UI under ScreenOS version 4. In this document, "Foo->Bar" indicates that you select the "Bar" submenu under the "Foo" menu on the left side of the window.
Define the addresses for the network behind Gateway A. In
Objects->Policy->Policy Elements->List, choose "Trust" from the drop-down list near
the upper left of the screen. Click the New button. In the form:
- enter "LAN A" for the address name
- enter "10.5.6.0" for the IP address
- enter "24" for the netmask
- select "Trust" for the zone
Define the addresses for the network behind Gateway B. In
Objects->Addresses->List, choose "Untrust" from the drop-down list near
the upper left of the screen. Click the New button. In the form:
- enter "LAN B" for the address name
- enter "172.23.9.0" for the IP address
- enter "24" for the netmask
- select "Untrust" for the zone
Specify Phase 1 for Gateway B. In VPNs->AutoKey
Advanced->Gateway, click the New button. In the form:
- enter "Gateway B Phase 1" for the VPN name
- select "Custom" for the security level (this will be configured below)
- select Static IP address for the address type
- enter "22.23.24.25" for the IP address
- enter "hr5xb84l6aa9r6" for the preshared key
- set the Outgoing Interface to "Untrust"
- click the "Advanced" button. In the form:
- selct "Custom" under "User Defined" forthe security level
- select "pre-g2-3des-sha" for the first Phase 1 proposal
- choose "Main (ID protection)" for the Mode (Initiator)
- Click the Return button, then the OK button
Specify Phase 2 for Gateway B. In VPNs->AutoKey IKE, click the
New button. In the form:
- enter "Gateway B Phase 2" for the VPN name
- select "Custom" for the security level (this will be configured below)
- select "Predefined" and "Gateway B Phase 1" for the remote gateway
- click the "Advanced" button. In the form:
- selct "Custom" under "User Defined" forthe security level
- select "g2-esp-3des-sha" for the Phase 2 proposal
- Click the Return button, then the OK button
Create a new pair of policies to link the two LANs. In Policy:
- select "Trust" in the "From" drop-down list
- select "Untrust" in the "To" drop-down list
- click the New button. In the form:
- enter "LAN B Policy" for the name
- select "LAN A" from the Address Book for the source address
- select "LAN B" from the Address Book for the destination address
- select "ANY" for the service
- choose "Off" for NAT
- select "Tunnel" for the action
- select "Gateway B Phase 2" for the VPN tunnel
- check "Modify matching bidirectional VPN policy" to create the
policy in both directions
These new policies must be above other non-VPN policies (such as the default outgoing policy) in the policy lists. In Policy, click on the double-arrow icon in the first column under Configure for the policy you just created (it will have an icon of a lock with two arrows on it in the Action column). In the dialog box, specify the position for this policy, namely above the policy for "Inside Any" to "Outside Any". If you had any non-VPN policies in Policy->Incoming, you will have to move the new VPN policy above them as well.
To view the IPsec connections made, look at the entries in Log->Event Log. To debug connections, telnet to the system's command line interface (CLI) and give the "debug ike detail" command during IKE negotiations.