Method used to configure interfaces that support the IPSec VPN on USG firewalls

23

You can configure interfaces that support the IPSec VPN on USG firewalls as follows:
Generally, the IPSec supports the following interfaces: L3 physical ports, VLANIF interfaces, VLANIF interfaces, L2 interfaces, and tunnel interfaces configured for the VLAN, subinterfaces, and dialer interfaces.
1. Apply the IPSec policies for the L3 physical port as follows:
system-view //Enter the system view.
interface interface-type interface-number //Access the physical port.
ipsec policy policy-name [ auto-neg ] //Apply the IPSec policies.
2. Apply the IPSec security policy group for the L2 physical port as follows:
system-view //Enter the system view.
interface interface-type interface-number //Access the physical port.
ipsec policy policy-name [ auto-neg ] //Apply the IPSec policies.
Note: You need to configure the IP address of the VLAN where the L2 interface resides when establishing an IPSec tunnel over the L2 interface.
3. Apply the IPSec policies for the tunnel interface as follows:
system-view,
interface tunnel tunnel-number //Enter the tunnel interface view.
tunnel-protocol ipsec, //Set the Tunnel encapsulation mode to IPSec mode.
ipsec policy policy-name //Apply the security policy group for the tunnel interface.

Other related questions:
Method used to configure the Trunk interface on USG firewalls
The method used to configure the Trunk interface on the USG2000, USG5000, and USG6000 is as follows: Generally, interfaces of firewalls are L3 interfaces. These L3 interfaces shall be converted to L2 interfaces. sys [USG]vlan batch 2 3 //Create a VLAN. [USG]interface gigabitethernet 0/0/3 [USG-GigabitEthernet0/0/3]Portswitch //Convert an L3 interface to an L2 interface. If the interface is an L2 interface, this command is not required. [USG-GigabitEthernet0/0/3]port link-type trunk //Set the interface type to Trunk (the default value is Hybrid). [USG-GigabitEthernet0/0/3]port trunk allow-pass vlan all //Set the system to permit packets of all VLANs (by default, only packets in VLAN 1 are permitted). [USG-GigabitEthernet0/0/3]port trunk pvid vlan 2 //(Optional) Set the default VLAN to VLAN 2 (the default VLAN is VLAN 1 previously).

Method used to configure the L2TP over IPSec dial-up access for iPhone and Mac users on the USG2000 and USG5000
The method used to configure the L2TP over IPSec dial-up access for iPhone and Mac users on the USG2000 and USG5000 is as follows: 1. The configuration on the iPhone is as follows: Choose Settings > General > Network > VPN. Select Add VPN Configuration. On the Add Configuration screen, select L2TP from Type. Set the L2TP options as follows: Description: L2TP VPN description. In this example, it can be set to any value. Server: L2TP VPN server address. In this example, it is set to 188.135.3.146, that is, the IP address of the firewall. Account: L2TP user name. It is set to the user name configured for the AAA on the firewall. RSA SecurID: It determines whether to perform verification using the RSA ID. In this example, it is disabled. Password: Password of the L2TP user. It is consistent with the user name. Secret: Exchange key of the L2TP VPN, that is, the pre-shared key in the IKE. In this example, it is set to nawras. Send All Traffic: It is enabled, so that all traffic is transmitted over the VPN. IPSec configuration: Generally, after you configure the L2TP options, the IPSec options are automatically filled in by the system. If not, fill in the options as follows: Description: VPN description. In this example, it can be set to any value. Server: IP address of the firewall interface. In this example, it is set to 188.135.3.146. Account: L2TP user name. It is set to the user name configured for the AAA on the firewall. Password: Password of the L2TP user. It is consistent with the user name. User Certificate: The certificate is not required. This option is unavailable. Group Name: The group name is not required. It can be left blank. Secret: Pre-shared key in the IKE. In this example, it is set to nawras. 2. Configuration on the Mac OS: a. VPN configuration on the Mac PC: The IKE negotiation is set to the main mode. The encryption algorithm for the IKE negotiation is set to 3DES. The authentication algorithm is set to SHA-1. The authentication method is set to PRE-SHARED-KEY (PSK). The IPSec negotiation is set to transport mode. The IPSec encryption algorithm is set to 3DES. The IPSec authentication algorithm is set to MD5. b. Configuration procedure: Click Network. Click "+" in the lower left corner, and create a new service. Set VPN Type to L2TP over IPSec and Service Name to any value, for example, VPN (L2TP). Set Service Address to the interface IP address of the firewall, and Account Name to the L2TP user name that must have been configured for the AAA. Then, click Authentication Setting. Set password to the password of the L2TP user, and Shared Secret to the pre-shared key in the IKE peer, for example, nawras. After the parameters are set, click OK. Then, click Apply in the lower right corner to validate the settings. If the VPN connection is required, click Connect. The system automatically initiates the L2TP over IPSec negotiation. After the connection is established, the current state is displayed as Connected. A new IP address is allocated, that is, allocated by the L2TP.

Method used to configure the Access interface on USG firewalls
The method used to configure the Access interface on USG firewalls is as follows: Generally, the Access interface is used to connect to a user host. sys [USG]vlan batch 2 //Create a VLAN. [USG]interface gigabitethernet0/0/1 [USG-GigabitEthernet0/0/1]port link-type access //Set the interface type to Access. [USG-GigabitEthernet0/0/1]port default vlan 2 //Add the port to VLAN 2. [USG-GigabitEthernet0/0/1]quit

Configuration of the security association on the USG firewalls
Configuration of the security association on the USG firewalls Create an IPSec SA in IKE negotiation mode. 1. The communication between network A and network B requires an IPSec tunnel, established between USG_A and USG_B, to encrypt and transmit data. The internal network segment of network A is 10.1.1.0/24, and the USA public IP address is 202.38.163.1/24. The internal network segment of network B is 10.1.2.0/24, and the public IP address is 202.38.169.1/24. Network A---USG_A----INTERNET----USG_B---Network B 2. The configuration procedure is as follows: [USG_A] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure the route. [USG_A] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure the IKE security proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure the IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface. [USG_B] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure the route. [USG_B] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure the IKE security proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure the IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

Configuration of the Client-Initialized VPN on the USG2000 and USG5000
The method used to configure the Client-Initialized VPN on the USG2000 and USG5000 is as follows: The LAC client can directly initiates a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the LAC client. The HQ network can connect to the Internet through the LNS. An employee on a business trip can directly initiate a tunnel establishment request to the LNS by means of L2TP dialup. The L2TP client software must be installed on the PC of the employee. Configure the Client-Initialized VPN using the CLI: 1. Configure the LNS. a. Create and configure the virtual interface template. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit b. Enable the L2TP. [LNS] l2tp enable c. Create and configure the L2TP group. [LNS] l2tp-group 1 d. Configure local tunnel name on the LNS end and the received peer tunnel name. [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Password123 Note: If you use the L2TP client software provided by the Windows system to dial up, you must disable the L2TP tunnel verification function. e. Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 192.168.0.2 192.168.0.100 f. Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit Note: Because the addresses in the IP address pool are not in the same network segment as the intranet addresses, you need to configure the route to network segment 192.168.0.0 on the HQ device, and set the next hop address to 192.168.1.1. g. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top