This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel. Assume the preshared secret used is netscreen. The matrix below will show the proposals we will use for this example:
Site | A | B |
Untrust IP of Firewall | 1.1.1.1 | 2.2.2.1 |
Trust Network | 10.1.1.0/24 | 172.16.10.0/24 |
Phase 1 Proposal | pre-g2-3des-sha | pre-g2-3des-sha |
Phase 2 Proposal | g2-esp-3des-sha | g2-esp-3des-sha |
Site A:
- Click VPNs > AutoKey Advanced > Gateway
- Click New
- Gateway Name: Site B GW
- Security Level: Custom
- Remote Gateway: Click Static, and enter IP address 2.2.2.1
- Preshared Key: netscreen
- Outgoing Interface: untrust (or whichever interface goes out to the Internet)
- Click Advanced
- Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator): Main
- Click Return
- Click OK
- Click Autokey IKE
- Click New
- VPN Name: Site B VPN
- Security Level: Custom
- Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
- Click Advanced
- Phase 2 Proposal: g2-esp-3des-sha
- Click Return
- Click OK
- Click Policy
- Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 10.1.1.0/24
- Destination Address: Click New Address, and enter 172.16.10.0/24
- Service: Any
- Action: Tunnel
- Tunnel: Site B VPN
- Modify matching bidirectional VPN policy: Enabled
- Click Ok
- Position at Top: Enabled
Site B:
- Click VPNs > AutoKey Advanced > Gateway
- Click New
- Gateway Name: Site A GW
- Security Level: Custom
- Remote Gateway: Click Static, and enter IP address 1.1.1.1
- Preshared Key: netscreen
- Outgoing Interface: untrust (or whichever interface goes out to the Internet)
- Click Advanced
- Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator): Main
- Click Return
- Click OK
- Click Autokey IKE
- Click New
- VPN Name: Site A VPN
- Security Level: Custom
- Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
- Click Advanced
- Phase 2 Proposal: g2-esp-3des-sha
- Click Return
- Click OK
- Click Policy
- Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 172.16.10.0/24
- Destination Address: Click New Address, and enter 10.1.1.0/24
- Service: Any
- Action: Tunnel
- Tunnel: Site A VPN
- Modify matching bidirectional VPN policy: Enabled
- Click Ok
- Position at Top: Enabled