Changing the peer IP address of IPSec VPN on the firewall

22

Changing the peer IP address of IPSec VPN on the USG
1. Configuration method
remote-address
The remote-address command specifies the IKE peer address or address range.

remote-address { low-ip-address [ high-ip-address ] | ip-pool pool-number | authentication-address low-ip-address [ high-ip-address ] | vpn-instance vpn-instance-name low-ip-address [ high-ip-address ] }
undo remote-address [authentication-address | ip-pool ]
Parameter description
ip-pool: To assign an IP address from the local end to the peer end (such as the AP device), configure the address pool at the local end and assign an IP address to the peer end.
authentication-address: In a scenario where NAT traversal is implemented, to use the IP address for authentication, configure the authentication-address parameter to specify the pre-NAT address or address range.
vpn-instance: Specifies the VPN instance and interface IP address of the tunnel during multi-instance configuration.
If no high-ip-address is specified in the command, only one address is configured for the IKE peer.
When the IKE peer is referenced by the IPSec policy template, the remote-address command is optional. When the IKE peer is referenced by the IPSec policy, the remote-address is mandatory.
If the peer address is configured as an address segment, this IKE peer can be referenced by the IPSec policy template only.
When the IKE peer is referenced by the IPSec policy or IPSec policy template, you cannot run the remote-address command to modify the peer IP address of the IKE peer.
2. Example
system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] remote-address 202.38.0.1 //Set the IP address of the IKE peer peer1 to 202.38.0.1.

Other related questions:
Configuring IPSec VPN on the firewall
Configuring an SA on the USG Creating a dynamic IPSec SA 1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24. Network A---USG_A----INTERNET-----USG_B---Network B 2. The configuration steps are as follows: [USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route. [USG_A] ipsec proposal tran1 //Configure an IPSec proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure an IKE proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure an IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface. [USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route. [USG_B] ipsec proposal tran1 //Configure an IPSec proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure an IKE proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure an IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

IPSec VPN lifetime on the firewall
Interfaces supported by IPSec VPN reference on the USG IPSec can be applied to Layer 3 physical interfaces, VLANIF interfaces, Layer 2 interfaces, tunnel interfaces, subinterfaces, and dialer interfaces. 1. Apply an IPSec policy on a Layer 3 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. 2. Apply an IPSec policy on a Layer 2 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. Note: Before you establish an IPSec tunnel on a Layer 2 interface, you must first configure the IP address of the VLAN on which the Layer 2 interface resides. 3. Apply an IPSec policy group to a tunnel interface. system-view interface tunnel tunnel-number //Access the tunnel interface view. tunnel-protocol ipsec //Set the encapsulation type on the tunnel interface to IPSec. ipsec policy policy-name //Apply the IPSec policy group to the tunnel interface.

how to modify the local ip address of the IPSec ike peer in USG2100
it's the binding relation of the IPSec's local ip address with the interface address which apply the policy of IPSec, Modify the corresponding interface IP address is to modify the the local IP of ike peer

Configuring automatic triggering of IPSec VPN on the firewall
Configuring automatic IPSec triggering (automatic negotiation) on the USG The auto-neg option can be configured in the case of establishing an IPSec tunnel in non-template mode, which indicates that an IPSec tunnel is established through auto-negotiation. If this option is not selected, traffic triggers the establishment of an IPSec tunnel. In the case of tunnel establishment in template mode, the configuration template end cannot proactively initiate the negotiation. In this case, if the non-template end does not send traffic, the tunnel fails to be established. At this moment, you can configure the auto-neg command on the non-template end to enable the IPSec auto-negotiation function. After auto-neg is configured at the non-template end, the system immediately checks data flows one by one. The non-template end proactively sends a negotiation request to the template end when no traffic is transmitted, and establishes an IPSec tunnel. The check is performed at a certain interval (far smaller than the SA lifetime) to ensure that all tunnels in the system are in the status of established. Configuration example Apply an IPSec policy group named policy1 to GigabitEthernet 0/0/3 and proactively initiate a tunnel connection. system-view [sysname] interface GigabitEthernet 0/0/3 [sysname-GigabitEthernet0/0/3] ipsec policy policy1 auto-neg

Number of concurrent IPSec VPN tunnels on the firewall
Number of concurrent IPSec VPN tunnels on the USG This question involves the device performance. For an accurate answer, contact the pre-sales personnel. USG2110 USG2130 USG2160 USG2210 USG2220 USG2230 USG2250 USG5120 USG5150 Performance specification Number of concurrent connections 100,000 200,000 200,000 300,000 500,000 800,000 1 million 2 million 2 million Number of new connections per second 1200 IPSec VPN performance 40M 60M 60M 300M 350M 400M 500M 1G 2G Number of concurrent IPSec VPN tunnels 64 64 64 2000 2000 2000 2000 2000 2000

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top