Skip to content

Create a policy-based IPsec VPN connection using preshared key

You can create and set up an IPsec VPN between the head office and a branch office.

Introduction

You must configure the following on the head office and the branch office firewalls.

  • Prerequisite: Configure IP hosts for the local and remote subnets.
  • Configure the IPsec VPN connection.
  • Optional: Edit the automatically created firewall rule to create an independent rule for outbound traffic.
  • Optional: Create a firewall rule for inbound traffic if you want independent firewall rules.
  • Allow access to services.
  • Check connectivity.

In this example, we've used a preshared key for authentication.

Define LANs at the head office

Create hosts for the head office and branch office networks at the head office.

  1. Go to Hosts and services > IP host and click Add.
  2. Create a host for the head office LAN.

    Create an IP host.

  3. Click Save.

  4. Click Add.
  5. Create a host for the branch LAN.

    Create an IP host.

  6. Click Save.

Add an IPsec connection at the head office

Create and activate an IPsec connection at the head office. The connection specifies endpoint details, network details, and a preshared key.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Specify the general settings. To create a firewall rule for the connection, select Create firewall rule.

    General settings.

  3. Specify the encryption settings.

    Note

    Make a note of the preshared key. You'll need it later when you're configuring the branch office connection.

    Encryption settings.

  4. Specify the local gateway settings.

    Local gateway settings.

  5. Specify the remote gateway settings. To establish the connection with any of the remote gateway's interfaces, specify a wildcard (*). You must use the same preshared key for all IPsec connections that use a wildcard remote gateway address on the firewall.

    Remote gateway settings.

  6. Click Save.

    The connection appears on the list of IPsec connections.

  7. Click the status button Button to activate or deactivate connection. to activate the connection.

    Activate the connection.

Edit the firewall rule

Edit the firewall rule created when you created the IPsec connection if you want to configure a rule for outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules and click the IPsec HQ to Branch rule.

    Select the rule.

  2. Change the name of the rule to outbound VPN traffic if you want.

  3. Specify the settings.

    Change the name and specify the settings.

  4. Click Save.

Add a firewall rule

Create a rule for inbound VPN traffic.

  1. Go to Rules and policies > Firewall rules, select protocol IPv4 or IPv6, and click Add firewall rule. Select New firewall rule.
  2. Specify the settings.

    Option Setting
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices Branch_LAN
    Destination zones LAN
    Destination networks HQ_LAN
  3. Click Save.

Allow access to services on the head office firewall

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select VPN. Users can ping the firewall's IP address through VPN to check connectivity.
  3. Click Apply.

Define LANs at the branch office

Create the hosts for the branch office and head office networks at the branch office.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify the local LAN settings.

    Option Setting
    Name Branch_LAN
    Type Network
    IP address 192.168.3.0
  3. Specify the remote LAN settings.

    Option Setting
    Name HQ_LAN
    Type Network
    IP address 192.168.2.0

Add an IPsec connection at the branch office

You create and activate an IPsec connection at the branch office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Specify the general settings:

    Option Setting
    Name Branch_to_HQ
    Connection type Site-to-Site
    Gateway type Initiate
    Create firewall rule Enabled
  3. Specify the encryption settings.

    Option Setting
    Profile Branch office (IKEv2)
    Authentication type Preshared key
  4. Type and confirm the preshared key.

    Note

    Make sure to use the same preshared key as in the head office.

  5. Specify the local gateway settings.

    Option Setting
    Listening interface Port1 – 10.118.96.115
    Local subnet Branch_LAN
  6. Specify the remote gateway settings.

    Option Setting
    Gateway address *
    Remote ID IP address – 10.118.96.91
    Remote subnet HQ_LAN
  7. Click Save. The connection appears in the list of IPsec connections.

  8. Click Status Button to activate or deactivate connection. to activate the connection.

Edit the firewall rule

Edit the firewall rule created when you created the IPsec connection if you want to configure a rule for outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules and click the IPsec Branch to HQ rule.
  2. Specify the settings.

    Option Setting
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices Branch_LAN
    Destination zones VPN
    Destination networks HQ_LAN
  3. Click Save.

Add a firewall rule

Create a rule for inbound VPN traffic.

  1. Go to Rules and policies > Firewall rules, select protocol IPv4 or IPv6, and click Add firewall rule. Select New firewall rule.
  2. Specify the settings.

    Option Setting
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices HQ_LAN
    Destination zones LAN
    Destination networks Branch_LAN
  3. Click Save.

Allow access to services

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select VPN.

    Users can ping the firewall's IP address through VPN to check connectivity.

  3. Click Apply.

Check connectivity

You check the connectivity from the head office to the branch office and vice versa.

  • From the head office, check that you can ping the branch office. For example, on Windows, start a command prompt and type the following command: ping 192.168.3.0
  • From the branch office, check that you can ping the head office. For example, on Windows, start a command prompt and type the following command: ping 192.168.2.0
  • From the head office, click Firewall and view the traffic.
  • From the branch office, click Firewall and view the traffic.

Head office and branch office configurations

In a head and branch office configuration, the branch office firewall usually acts as the tunnel initiator and the head office firewall as a responder due to the following reasons:

  • When the branch office firewall is configured with a dynamic IP address, the head office device can't start the connection.
  • As there can be many branch offices, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.

More resources