Create a site-to-site IPsec VPN

You want to create and deploy an IPsec VPN between the head office and a branch office. You use a preshared key for authentication.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Configure the head office IPsec VPN. This includes defining LANs, adding an IPsec connection, editing a firewall rule, and creating a firewall rule.
  • Configure the branch office IPsec VPN.
  • Check connectivity.

Define LANs at the head office

You create hosts for the head office and branch office networks at the head office.

  1. Go to Hosts and services > IP host and click Add.
  2. Create a host for the head office LAN.
    Headquarters LAN
  3. Click Save.
  4. Click Add.
  5. Create a host for the branch LAN.
    Branch LAN
  6. Click Save.

Add an IPsec connection at the head office

You create and activate an IPsec connection at the head office. The connection specifies endpoint details, network details, and a preshared key.

  1. Go to VPN > IPsec connections and click Add.
  2. Specify general settings.

    To create a firewall rule for the connection, enable Create firewall rule.

    IPsec general settings
  3. Specify encryption settings.
    Note Make a note of the preshared key as you will need it later when you are configuring the branch office connection.
    IPsec encryption
  4. Specify local gateway settings.
    IPsec local gateway
  5. Specify remote gateway settings.
    The connection should be able to connect to any of the remote gateway's interfaces, so specify a wildcard (*).
    IPsec remote gateway
  6. Click Save.
    The connection appears in the list of IPsec connections.
  7. Click the status indicator (Inactive indicator) to activate the connection.
    IPsec list of connections

Edit the firewall rule

Edit the firewall rule that you created when you created the IPsec connection. This rule applies to outbound VPN traffic.

  1. Go to Firewall and click the IPsec HQ to Branch rule.
    IPsec HQ to Branch rule
  2. Change the name of the rule and specify settings.
    Outbound VPN rule
  3. Click Save.

Add a firewall rule

Create a rule for inbound VPN traffic.

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the settings.
    OptionDescription
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices Branch_LAN
    Destination zones LAN
    Destination networks HQ_LAN
  3. Click Save.

Define LANs at the branch office

You create hosts for the branch office and head office networks at the branch office.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify local LAN settings.
    OptionDescription
    Name Branch_LAN
    Type Network
    IP address 192.168.3.0
  3. Specify remote LAN settings.
    OptionDescription
    Name HQ_LAN
    Type Network
    IP address 192.168.2.0

Add an IPsec connection at the branch office

You create and activate an IPsec connection at the branch office.

  1. Go to VPN > IPsec connections and click Add.
  2. Specify general settings.
    OptionDescription
    Name Branch_to_HQ
    Connection type Site-to-Site
    Gateway type Initiate
    Create firewall rule Enabled
  3. Specify encryption settings.
    OptionDescription
    Policy DefaultBranchOffice
    Authentication type Preshared key
  4. Type and confirm the preshared key.
    Note Make sure to use the same preshared key as in the head office.
  5. Specify local gateway settings.
    OptionDescription
    Listening interface Port1 – 10.118.96.115
    Local subnet Branch_LAN
  6. Specify remote gateway settings.
    OptionDescription
    Gateway address *
    Remote ID IP address – 10.118.96.91
    Remote subnet HQ_LAN
  7. Click Save.
    The connection appears in the list of IPsec connections.
  8. Click the status indicator (Inactive indicator) to activate the connection.

Edit the firewall rule

Edit the firewall rule that you created when you created the IPsec connection. This rule applies to outbound VPN traffic.

  1. Go to Firewall and click the IPsec Branch to HQ rule.
  2. Specify the settings.
    OptionDescription
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices Branch_LAN
    Destination zones VPN
    Destination networks HQ_LAN
  3. Click Save.

Add a firewall rule

Create a rule for inbound VPN traffic.

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the settings.
    OptionDescription
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices HQ_LAN
    Destination zones LAN
    Destination networks Branch_LAN
  3. Click Save.

Check connectivity

You check the connectivity from the head office to the branch office and vice versa.

  • From the head office, check that you can ping the branch office.
    On Windows, start a command prompt and type ping 192.168.3.0.
  • From the branch office, check that you can ping the head office.
    On Windows, start a command prompt and type ping 192.168.2.0.
  • From the head office, click Firewall and view traffic.
  • From the branch office, click Firewall and view traffic.

Head and branch office configuration

In a head and branch office configuration, the firewall on the branch office usually acts as the tunnel initiator and the firewall on the head office as a responder due to the following reasons:
  • When the branch office device is configured with a dynamic IP address, the head office device cannot initiate the connection.
  • As the branch offices number vary, it is recommended that each branch office retry the connection instead of the head office retrying all connections to branch offices.