The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
The IKE Phase 2 parameters used in Scenario 1 are:
In its default setting, the RetiEdge provides a WebUI that is accessible via the "Management" port with the URL "https://172.16.0.1".
The following configuration steps are for the WebUI under Release 4.1 of the RetiEdge E Series. Foo > Bar indicates that you select the Bar submenu under the Foo menu on the left side of the window. The configuration is for Gateway A; Gateway B can be configured in a similar way.
In the right window, select PORT1, which is predefined as a LAN interface and has a default IP address of 192.168.0.1. Double-click on the address and an Interface page will show up. Enter 10.5.6.1 and 255.255.255.0 for the IP Address and Netmask fields, respectively, and click OK.
Next, select PORT2, which is predefined as a WAN interface. Click "Create New", and enter 14.15.16.17, 255.255.255.0, and 14.15.16.1 for the IP Address, Netmask, and Gateway fields, respectively, and click OK.
In the Policy page, click the Add button and an "IPSEC Policy" page will show up. Give a name to the policy, and enter the key hr5xb84l6aa9r6 for the preshared key method.
In the Gateway section, enter 14.15.16.17 and 22.23.24.25 for the local and remote end points, respectively. In the Traffic Selector section, enter 10.5.6.0/255.255.255.0 and 17.23.9.0/255.255.255.0 for the local and remote subnet/netmask, respectively.
Next click the "Advanced" button, and a detailed configuration page will appear. In the IKE section, select "Secure Mode" for the Exchange Mode field, and enter 480 (minutes) for "IKE SA Lifetime". In the IPSEC section, enter 60 (minutes) for "SA Lifetime". Click OK to commit the change.
The firewall blocks anything not explicitly allowed. To allow VPN traffic between the 2 subnets, firewall rules need be configured to allow traffic to pass.
In the Custom page, click the Add button to create 2 address aliases (named Net10 and Net172) for the 2 subnets 10.5.6.0/255.255.255.0 and 172.23.9.0/255.255.255.0.
In the Firewall page, create 2 firewall rules to allow traffic going between the 2 subnets.
The rule for traffic initiated from Net10 to Net172 can be
configured as follows:
- select Net10 for Source IP, Net172 for Destination IP
- select PORT1 for Inbound Port
- select Accept for Action
The rule for traffic initiated from Net172 to Net10 can be
configured as follows:
- select Net172 for Source IP, Net10 for Destination IP
- select PORT2 for Inbound Port
- select Accept for Action
In the "Management Privilege Access" page, create a firewall rule
to allow IKE and ESP traffic destined to the RetiEdge appliance.
- select IPSEC for Service
- select PORT2 for Inbound Port
- select Accept for Action
To view tunnel status, go to Policy > VPN > IPSEC, and click "Status" in the right window.
To diagnose negotiation problems, go to System > Log, and click "VPN" in the right window to check the VPN logs. To get more detailed logs, go to System > Maintenance, and in the Log page, change the VPN log level to DEBUG or higher. Then redo the negotiation.