Creating a site-to-site IPsec VPN

We want to create and deploy an IPsec VPN between the head office and a branch office. We use a preshared key for authentication.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Configure the head office IPsec VPN. This includes defining LANs, adding an IPsec connection, editing a firewall rule, and creating a firewall rule.
  • Configure the branch office IPsec VPN.
  • Check connectivity.

Define LANs at the head office

We create hosts for the head office and branch office networks at the head office.

  1. Go to Hosts and services > IP host and click Add.
  2. Create a host for the head office LAN.
  3. Click Save.
  4. Click Add.
  5. Create a host for the branch LAN.
  6. Click Save.

Add an IPsec connection at the head office

We create and activate an IPsec connection at the head office. The connection specifies endpoint details, network details, and a preshared key.

  1. Go to VPN > IPsec connections and click Add.
  2. Specify general settings.

    We want to create a firewall rule for the connection, so we enable Create firewall rule.

  3. Specify encryption settings.
    Note Make a note of the preshared key as you will need it later when you are configuring the branch office connection.
  4. Specify local gateway settings.
  5. Specify remote gateway settings.
    We want the connection to be able to connect to any interface at the remote gateway, so we specify a wildcard (*).
  6. Click Save.
    The connection appears in the list of IPsec connections.
  7. Click the status indicator () to activate the connection.

Edit the firewall rule

We edit the firewall rule that we created when we created the IPsec connection. This rule applies to outbound VPN traffic.

  1. Go to Firewall and click the “IPsec HQ to Branch” rule.
  2. Change the name of the rule and specify settings.
  3. Click Save.

Add a firewall rule

We create a rule for inbound VPN traffic.

  1. Click + Add firewall rule > User/Network rule.
  2. Specify settings.
    OptionDescription
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices Branch_LAN
    Destination zones LAN
    Destination networks HQ_LAN
  3. Click Save.

Define LANs at the branch office

We create hosts for the branch office and head office networks at the branch office.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify local LAN settings.
    OptionDescription
    Name Branch_LAN
    Type Network
    IP address 192.168.3.0
  3. Specify remote LAN settings.
    OptionDescription
    Name HQ_LAN
    Type Network
    IP address 192.168.2.0

Add an IPsec connection at the branch office

We create and activate an IPsec connection at the branch office.

  1. Go to VPN > IPsec connections and click Add.
  2. Specify general settings.
    OptionDescription
    Name Branch_to_HQ
    Connection type Site-to-Site
    Gateway type Initiate
    Create firewall rule Enabled
  3. Specify encryption settings.
    OptionDescription
    Policy DefaultBranchOffice
    Authentication type Preshared key
  4. Type and confirm the preshared key.
    Note Make sure to use the same preshared key as in the head office.
  5. Specify local gateway settings.
    OptionDescription
    Listening interface Port1 – 10.118.96.115
    Local subnet Branch_LAN
  6. Specify remote gateway settings.
    OptionDescription
    Gateway address *
    Remote ID IP address – 10.118.96.91
    Remote subnet HQ_LAN
  7. Click Save.
    The connection appears in the list of IPsec connections.
  8. Click the status indicator () to activate the connection.

Edit the firewall rule

We edit the firewall rule that we created when we created the IPsec connection. This rule applies to outbound VPN traffic.

  1. Go to Firewall and click the “IPsec Branch to HQ” rule.
  2. Specify settings.
    OptionDescription
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices Branch_LAN
    Destination zones VPN
    Destination networks HQ_LAN
  3. Click Save.

Add a firewall rule

We create a rule for inbound VPN traffic.

  1. Click + Add firewall rule > User/Network rule.
  2. Specify settings.
    OptionDescription
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices HQ_LAN
    Destination zones LAN
    Destination networks Branch_LAN
  3. Click Save.

Check connectivity

We check the connectivity from the head office to the branch office and vice versa.

  • From the head office, check that you can ping the branch office.
    On Windows, start a command prompt and type ping 192.168.3.0.
  • From the branch office, check that you can ping the head office.
    On Windows, start a command prompt and type ping 192.168.2.0.
  • From the head office, click Firewall and view traffic.
  • From the branch office, click Firewall and view traffic.

Head and branch office configuration

In a head and branch office configuration, the firewall on the branch office usually acts as the tunnel initiator and the firewall on the head office as a responder due to the following reasons:
  • When the branch office device is configured with a dynamic IP address, the head office device cannot initiate the connection.
  • As the branch offices number vary, it is recommended that each branch office retry the connection instead of the head office retrying all connections to branch offices.