Whether the firewall supports the IPSec VPN license

The MPLS VPN function of the USG2000, USG5000, and USG6000 is not controlled by a license.

Interfaces supported by IPSec VPN reference on the USG IPSec can be applied to Layer 3 physical interfaces, VLANIF interfaces, Layer 2 interfaces, tunnel interfaces, subinterfaces, and dialer interfaces. 1. Apply an IPSec policy on a Layer 3 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. 2. Apply an IPSec policy on a Layer 2 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. Note: Before you establish an IPSec tunnel on a Layer 2 interface, you must first configure the IP address of the VLAN on which the Layer 2 interface resides. 3. Apply an IPSec policy group to a tunnel interface. system-view interface tunnel tunnel-number //Access the tunnel interface view. tunnel-protocol ipsec //Set the encapsulation type on the tunnel interface to IPSec. ipsec policy policy-name //Apply the IPSec policy group to the tunnel interface.

Configuring an SA on the USG Creating a dynamic IPSec SA 1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24. Network A---USG_A----INTERNET-----USG_B---Network B 2. The configuration steps are as follows: [USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route. [USG_A] ipsec proposal tran1 //Configure an IPSec proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure an IKE proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure an IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface. [USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route. [USG_B] ipsec proposal tran1 //Configure an IPSec proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure an IKE proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure an IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

The USG2000 does not require a license for the IPSec feature.

IPSec license for USG firewalls: 1. If the license is not activated, IPSec cannot be used on the USG5300. The web UI and CLI are invisible. After a formal license is purchased and activated, up to 15000 tunnels are supported. 2. The USG5000 does not require a license for the IPSec feature.