Whether SSL VPN of the USG6000 can use the virtual IP address of a VRRP group as the gateway

41

SSL VPN supports using the virtual IP address of the VRRP group as the gateway.

Other related questions:
Configuring virtual IP addresses of VRRP groups on the USG6000
Configuring virtual IP addresses of VRRP groups on the USG6000 sys //Access the system view. [USG6600-1] int g1/0/9 //Access the Layer 3 interface. [USG6600-1-GigabitEthernet1/0/9]ip add 1.1.1.1 24 //Configure the interface IP address. [USG6600-1-GigabitEthernet1/0/9]vrrp vrid 1 virtual-ip 1.1.1.254 active (virtual IP address of the VRRP group) //Configure the virtual IP address of the VRRP group.

Number of virtual IP addresses of VRRP groups that can be configured on the USG6000
Example for configuring VRRP load balancing (configuring multiple virtual IP addresses) Requirements: USG_A serves as the Master of VRRP group 1 and the Backup of VRRP group 2. USG_B serves as the Master of VRRP group 2 and the Backup of VRRP group 1. On the internal network, HostA uses VRRP group 1 as the gateway, and HostC uses VRRP group 2 as the gateway. This helps implement load balancing and mutual backup. Configuration roadmap 1. Create two VRRP groups at GigabitEthernet 0/0/2 of USG_A. USG_A serves as the Master of VRRP group 1 and the Backup of VRRP group 2. 2. Create two VRRP groups at GigabitEthernet 0/0/2 of USG_B. USG_B serves as the Backup of VRRP group 1 and the Master of VRRP group 2. Operation steps 1. Configure VRRP. # Configure GigabitEthernet0/0/2 on USG_A, create VRRP group 1, and set the priority of USG_A in VRRP group 1 to 105 (as the Master). Create VRRP group 2 and set the priority of USG_A in VRRP group 2 to the default value 100 (as the Backup). system-view [USG_A] vrrp mode [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ip address 10.1.1.1 24 [USG_A-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.1.1.111 [USG_A-GigabitEthernet0/0/2] vrrp vrid 1 priority 105 [USG_A-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 10.1.1.112 # Configure GigabitEthernet0/0/2 on USG_B, create VRRP group 1, and set the priority of USG_B in VRRP group 1 to the default value `100 (as the Backup). Create VRRP group 2 and set the priority of USG_B in VRRP group 2 to 105 (as the Master). system-view [USG_B] vrrp mode [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ip address 10.1.1.2 24 [USG_B-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.1.1.111 [USG_B-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 10.1.1.112 [USG_B-GigabitEthernet0/0/2] vrrp vrid 2 priority 105

SSL VPN virtual gateway on the USG
Configure SSL parameters. Configure the SSL version supported by the USG, encryption suite, session timeout duration, and life cycle. You can retain the default values. Procedure: system-view v-gateway v-gateway-name //Access the virtual gateway view. basic, //Access the basic virtual gateway view. ssl version { sslv30+tlsv10 | tlsv10 } //Configure the SSL version supported by the USG. By default, the USG supports SSL3.9 and TLS1.0. ssl ciphersuit { allciphersuit | custom { aes256-sha | non-aes256-sha } { des-cbc3-sha | non-des-cbc3-sha } { rc4-sha | non-rc4-sha } { rc4-md5 | non-rc4-md5 } { aes128-sha | non-aes128-sha } { des-cbc-sha | non-des-cbc-sha } } //Configure the SSL encryption suite. ssl timeout time //Configure the SSL session timeout duration. ssl lifecycle { time | no-time-limit } //Configure the SSL life cycle. ssl session-reuse enable //Enable the SSL session reuse function. Follow-up processing display ssl //View SSL configuration.

Configuring an SSL VPN virtual gateway on the firewall
Configuring virtual gateways on the USG 1. system-view 2. v-gateway v-gateway-name { ip-address | interface interface-type interface-number } [ port port-number ] { private [ domain-name ] | public domain-name } //Create a virtual gateway. A private gateway is in exclusive mode, and a public gateway is in shared mode. 3. quit 4. v-gateway v-gateway-name ip address ip-address [ port port-number ] //Assign an IP address and a port number to the virtual gateway. Exclusive virtual gateway: v-gateway v-gateway-name ip address ip-address [ port port-number ] command: If the entered IP address is the existing IP address of the virtual gateway, this command changes the virtual gateway port number. If the entered IP address is not the IP address of the virtual gateway, this command adds the virtual gateway IP address. The undo v-gateway v-gateway-name ip address ip-address command deletes the IP address of the virtual gateway. The v-gateway v-gateway-name ip address old-ip-address new-ip-address [ port port-number ] command changes the IP address of the virtual gateway. Shared virtual gateway: v-gateway v-gateway-name ip address ip-address [ port port-number ] command: If the entered IP address is the existing IP address of the virtual gateway, this command changes the virtual gateway port number. If the entered IP address is not the IP address of the virtual gateway, this command changes the virtual gateway IP address. You cannot run the undo v-gateway ip address command to delete the IP address of the virtual gateway. The v-gateway v-gateway-name ip address old-ip-address new-ip-address [ port port-number ] command changes the IP address of the virtual gateway. If a port bound to the IP address of the virtual gateway is used for other purposes (such as web management or SSH login), the port cannot be configured as the port of the virtual gateway. 5. v-gateway v-gateway-name interface interface-type interface-number [ port port-number ] //Modify the virtual gateway interface. 6. v-gateway v-gateway-name domain domain-name //Modify the virtual gateway domain name. 7. v-gateway v-gateway-name http-redirect enable //Configure the HTTP redirection function of the virtual gateway. 8. v-gateway v-gateway-name max-user max-user //Modify the maximum number of virtual gateway users. Its default value is 1. 9. v-gateway v-gateway-name cur-max-user cur-max-user //Modify the maximum number of concurrent users of the virtual gateway. 10. v-gateway v-gateway-name max-resource max-resource //Modify the maximum number of resources on the virtual gateway. Its default value is 1.

Can the virtual IP address of a VRRP group be added to the NAT address pool
Yes. If the virtual IP address of the VRRP group is the only public IP address for the intranet, you can add the virtual IP address to the NAT address pool.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top