Configuring IPSec VPN on the firewall

Configuring an SA on the USG
Creating a dynamic IPSec SA
1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24.
Network A---USG_A----INTERNET-----USG_B---Network B
2. The configuration steps are as follows:
[USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets.
[USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[USG_A-acl-adv-3000] quit
[USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route.
[USG_A] ipsec proposal tran1 //Configure an IPSec proposal.
[USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG_A-ipsec-proposal-tran1] transform esp
[USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_A-ipsec-proposal-tran1] quit
[USG_A] ike proposal 10 //Configure an IKE proposal.
[USG_A-ike-proposal-10] authentication-method pre-share
[USG_A-ike-proposal-10] authentication-algorithm sha1
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_A-ike-proposal-10] quit
[USG_A] ike peer b //Configure an IKE peer.
[USG_A-ike-peer-b] ike-proposal 10
[USG_A-ike-peer-b] remote-address 202.38.169.1
[USG_A-ike-peer-b] pre-shared-key abcde
[USG_A-ike-peer-b] quit
[USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy.
[USG_A-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_A-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_A-ipsec-policy-isakmp-map1-10] ike-peer b
[USG_A-ipsec-policy-manual-map1-10] quit
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

[USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets.
[USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[USG_B-acl-adv-3000] quit
[USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route.
[USG_B] ipsec proposal tran1 //Configure an IPSec proposal.
[USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG_B-ipsec-proposal-tran1] transform esp
[USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_B-ipsec-proposal-tran1] quit
[USG_B] ike proposal 10 //Configure an IKE proposal.
[USG_B-ike-proposal-10] authentication-method pre-share
[USG_B-ike-proposal-10] authentication-algorithm sha1
[USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_B-ike-proposal-10] quit
[USG_B] ike peer a //Configure an IKE peer.
[USG_B-ike-peer-a] ike-proposal 10
[USG_B-ike-peer-a] remote-address 202.38.163.1
[USG_B-ike-peer-a] pre-shared-key abcde
[USG_B-ike-peer-a] quit
[USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy.
[USG_B-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_B-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_B-ipsec-policy-isakmp-map1-10] ike-peer a
[USG_B-ipsec-policy-isakmp-map1-10] quit
[USG_B] interface GigabitEthernet 0/0/2
[USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

Scroll to top