Create a policy-based IPsec VPN connection using preshared key
You can create and set up an IPsec VPN between the head office and a branch office.
Introduction
You must configure the following on the head office and the branch office firewalls.
- Prerequisite: Configure IP hosts for the local and remote subnets.
- Configure the IPsec VPN connection.
- Optional: Edit the automatically created firewall rule to create an independent rule for outbound traffic.
- Optional: Create a firewall rule for inbound traffic if you want independent firewall rules.
- Allow access to services.
- Check connectivity.
In this example, we've used a preshared key for authentication.
Define LANs at the head office
Create hosts for the head office and branch office networks at the head office.
- Go to Hosts and services > IP host and click Add.
-
Create a host for the head office LAN.
-
Click Save.
- Click Add.
-
Create a host for the branch LAN.
-
Click Save.
Add an IPsec connection at the head office
Create and activate an IPsec connection at the head office. The connection specifies endpoint details, network details, and a preshared key.
- Go to Site-to-site VPN > IPsec and click Add.
-
Specify the general settings. To create a firewall rule for the connection, select Create firewall rule.
-
Specify the encryption settings.
Note
Make a note of the preshared key. You'll need it later when you're configuring the branch office connection.
-
Specify the local gateway settings.
-
Specify the remote gateway settings. To establish the connection with any of the remote gateway's interfaces, specify a wildcard (
*
). You must use the same preshared key for all IPsec connections that use a wildcard remote gateway address on the firewall. -
Click Save.
The connection appears on the list of IPsec connections.
-
Click the status button to activate the connection.
Edit the firewall rule
Edit the firewall rule created when you created the IPsec connection if you want to configure a rule for outbound VPN traffic.
-
Go to Rules and policies > Firewall rules and click the
IPsec HQ to Branch
rule. -
Change the name of the rule to outbound VPN traffic if you want.
-
Specify the settings.
-
Click Save.
Add a firewall rule
Create a rule for inbound VPN traffic.
- Go to Rules and policies > Firewall rules, select protocol IPv4 or IPv6, and click Add firewall rule. Select New firewall rule.
-
Specify the settings.
Option Setting Rule name Inbound VPN traffic
Source zones VPN Source networks and devices Branch_LAN
Destination zones LAN Destination networks HQ_LAN
-
Click Save.
Allow access to services on the head office firewall
- Go to Administration > Device access.
- Under Ping/Ping6, select VPN. Users can ping the firewall's IP address through VPN to check connectivity.
- Click Apply.
Define LANs at the branch office
Create the hosts for the branch office and head office networks at the branch office.
- Go to Hosts and services > IP host and click Add.
-
Specify the local LAN settings.
Option Setting Name Branch_LAN
Type Network IP address 192.168.3.0
-
Specify the remote LAN settings.
Option Setting Name HQ_LAN
Type Network IP address 192.168.2.0
Add an IPsec connection at the branch office
You create and activate an IPsec connection at the branch office.
- Go to Site-to-site VPN > IPsec and click Add.
-
Specify the general settings:
Option Setting Name Branch_to_HQ
Connection type Site-to-Site Gateway type Initiate Create firewall rule Enabled -
Specify the encryption settings.
Option Setting Profile Branch office (IKEv2)
Authentication type Preshared key -
Type and confirm the preshared key.
Note
Make sure to use the same preshared key as in the head office.
-
Specify the local gateway settings.
Option Setting Listening interface Port1 – 10.118.96.115
Local subnet Branch_LAN
-
Specify the remote gateway settings.
Option Setting Gateway address *
Remote ID IP address – 10.118.96.91
Remote subnet HQ_LAN
-
Click Save. The connection appears in the list of IPsec connections.
- Click Status to activate the connection.
Edit the firewall rule
Edit the firewall rule created when you created the IPsec connection if you want to configure a rule for outbound VPN traffic.
- Go to Rules and policies > Firewall rules and click the
IPsec Branch to HQ
rule. -
Specify the settings.
Option Setting Rule name Outbound VPN traffic
Source zones LAN Source networks and devices Branch_LAN
Destination zones VPN Destination networks HQ_LAN
-
Click Save.
Add a firewall rule
Create a rule for inbound VPN traffic.
- Go to Rules and policies > Firewall rules, select protocol IPv4 or IPv6, and click Add firewall rule. Select New firewall rule.
-
Specify the settings.
Option Setting Rule name Inbound VPN traffic Source zones VPN Source networks and devices HQ_LAN
Destination zones LAN Destination networks Branch_LAN
-
Click Save.
Allow access to services
- Go to Administration > Device access.
- Under Ping/Ping6, select VPN.
Users can ping the firewall's IP address through VPN to check connectivity.
- Click Apply.
Check connectivity
You check the connectivity from the head office to the branch office and vice versa.
- From the head office, check that you can ping the branch office. For example, on Windows, start a command prompt and type the following command:
ping 192.168.3.0
- From the branch office, check that you can ping the head office. For example, on Windows, start a command prompt and type the following command:
ping 192.168.2.0
- From the head office, click Firewall and view the traffic.
- From the branch office, click Firewall and view the traffic.
Head office and branch office configurations
In a head and branch office configuration, the branch office firewall usually acts as the tunnel initiator and the head office firewall as a responder due to the following reasons:
- When the branch office firewall is configured with a dynamic IP address, the head office device can't start the connection.
- As there can be many branch offices, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.
More resources