Creating a site-to-site IPsec VPN
We want to create and deploy an IPsec VPN between the head office and a branch office. We use a preshared key for authentication.
Objectives
When you complete this unit, you’ll know how to do the following:- Configure the head office IPsec VPN. This includes defining LANs, adding an IPsec connection, editing a firewall rule, and creating a firewall rule.
- Configure the branch office IPsec VPN.
- Check connectivity.
Define LANs at the head office
We create hosts for the head office and branch office networks at the head office.
Add an IPsec connection at the head office
We create and activate an IPsec connection at the head office. The connection specifies endpoint details, network details, and a preshared key.
Edit the firewall rule
We edit the firewall rule that we created when we created the IPsec connection. This rule applies to outbound VPN traffic.
Add a firewall rule
We create a rule for inbound VPN traffic.
Define LANs at the branch office
We create hosts for the branch office and head office networks at the branch office.
- Go to Add. and click
-
Specify local LAN settings.
Option Description Name Branch_LAN Type Network IP address 192.168.3.0 -
Specify remote LAN settings.
Option Description Name HQ_LAN Type Network IP address 192.168.2.0
Add an IPsec connection at the branch office
We create and activate an IPsec connection at the branch office.
Edit the firewall rule
We edit the firewall rule that we created when we created the IPsec connection. This rule applies to outbound VPN traffic.
- Go to Firewall and click the “IPsec Branch to HQ” rule.
-
Specify the settings.
Option Description Rule name Outbound VPN traffic Source zones LAN Source networks and devices Branch_LAN Destination zones VPN Destination networks HQ_LAN - Click Save.
Add a firewall rule
We create a rule for inbound VPN traffic.
Check connectivity
We check the connectivity from the head office to the branch office and vice versa.
Head and branch office configuration
- When the branch office device is configured with a dynamic IP address, the head office device cannot initiate the connection.
- As the branch offices number vary, it is recommended that each branch office retry the connection instead of the head office retrying all connections to branch offices.