Knowledge Search


×
 

How do I create a Policy Based LAN to LAN VPN using Preshared Keys

  [KB6210] Show Article Properties


Summary:
Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys
Symptoms:
Environment:
  • Preshared secrets
  • Policy Based VPN
  • Static IP Addresses on both gateways of VPN
Cause:

Solution:

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.  Assume the preshared secret used is netscreen.  The matrix below will show the proposals we will use for this example:

network drawing
Site A B
Untrust IP of Firewall 1.1.1.1 2.2.2.1
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site B GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 2.2.2.1
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Main
      3. Click Return
    7. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site B VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

Site B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site A GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Main
      3. Click Return
    7. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site A VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled
Related Links: