ipsec vpn

Hi sims,

An IPSEC VPN tunnel consists of two parts: Phase-1 and Phase-2. I like to call them "Are we allowed to talk" phase and "What are we talking about" phase. :) Here's what you'll need to know... Maybe put this in a checklist if you're not very proficient at IPSEC VPNs. These are the basics but should get you going.

Phase-1

- Encryption (AES-256, 3DES, etc)

- Hashing (SHA-1, MD5, etc)

- Authentication (Can be a pre-shared key [PSK] or certificates [PKI])

- Identity (Usually IP address but can be hostname)

- IKE version (1 or 2)

- Diffie-Hellman Group

- Lifetime

Phase-2

- Encryption (Can be same or different from Phase-1)

- Hashing (Can be same or different from Phase-1)

- Encryption Domains (These are the networks you want to have talk to each other. If Site-A is offering 10.20.30.0/24 and Site-B is offering 192.168.0.0/16, make sure they match on both sides)

- Lifetime

- Perfect Forward Secrecy (optional but will require another Diffie-Hellman Group)

All items on each side must match or else the VPN won't establish. Go into your 'Gate and configure a custom tunnel. For Site-A, your local will be 10.20.30.0/24 and your remote will be 192.168.0.0/16. You will reverse this on the other device you're configuring.

Create a Static Route to point the remote network (192.168.0.0/16) to use the VPN tunnel interface. Lastly, create your firewall policies with like this:

SourceInt: Internal

DestinationInt: VPN-Interface

Source: 10.20.30.0/24

Destination: 192.168.0.0/16

Service: Whatever you want

Action: Accept

NAT: None

Log: All

If you want traffic to be initiated from the remote site, create another rule but swap the Interfaces and the Source/Destination networks.

Go into Monitor->IPSEC Monitor and bring the tunnels up.

Hope this helps,

Sean (Gr@ve_Rose)