Site to Site VPN using GUI

Item
USG_A

(1)

Data
Interface number: GigabitEthernet 0/0/1
IP address: 10.1.1.1/24
Zone: Trust

(2)

Interface number: GigabitEthernet 0/0/2

IP address: 200.1.1.1/24
Zone: Untrust

IPSec configuration IKE version: V1 and V2

IKE negotiation mode: main mode
Local ID type of IKE: IP
IKE pre-shared key: abcde
IKE peer address: fixed IP address, 200.10.1.1
IPSec encapsulation mode: Tunnel mode
IPSec security protocol: ESP
USG_B

(3)

Interface number: GigabitEthernet 0/0/2

IP address: 200.10.1.1/24
Zone: Untrust

(4)

Interface number: GigabitEthernet 0/0/1

Item

Data
IP address: 192.168.1.1/24
Zone: Trust

IPSec configuration IKE version: V1 and V2

IKE negotiation mode: main mode
Local ID type of IKE: IP
IKE pre-shared key: abcde
IKE peer address: fixed IP address, 200.1.1.1
IPSec encapsulation mode: Tunnel mode
IPSec security protocol: ESP

Configure USG_A.
Step#1
1.

Configure the basic parameters of the interfaces.

a. Choose Network > Interface > Interface.
b.
c.

In Interface List, click

of GE0/0/1.
On the Modify GigabitEthernet Interface page, configure the following parameters:
Zone: trust
IP Address: 10.1.1.1
Subnet Mask: 255.255.255.0
Other parameters are set to the default values.

d.

Click Apply.

e.
f.

In Interface List, click

of GE0/0/2.
On the Modify GigabitEthernet Interface page, configure the following parameters:
Zone: untrust
IP Address: 200.1.1.1
Subnet Mask: 255.255.255.0
Other parameters are set to the default values.

g.

Click Apply.

Step#2
For the USG, configure interzone packet filtering to ensure normal network communication. For the USG BSR/HSR, this
operation is not required.
a.

Configure the security policy between the Local zone and the Untrust zone.
1. Choose Firewall > Security Policy > Local Policy.

2.

b.

In Local Policy, click Add to configure the following parameters:

Source Zone: untrust
Source Address: 200.10.1.0/24
Action: permit
3. Click Apply.
Configure the security policy between the Trust zone and the Untrust zone.
1. Choose Firewall > Security Policy > Forward Policy.
2. In Forward Policy List, click Add to configure the following parameters:
Source Zone: trust
Destination Zone: untrust
Source Address: 10.1.1.0/24
Destination Address: 192.168.1.0/24
Action: permit
3. Click Apply.
4. Choose Firewall > Security Policy > Forward Policy.
5. In Forward Policy List, click Add to configure the following parameters:
Source Zone: untrust
Destination Zone: trust
Source Address: 192.168.1.0/24
Destination Address: 10.1.1.0/24
Action: permit
6. Click Apply.

Step#3
Configure a static route from USG_A to network B, with the next-hop IP address of 200.1.1.2.
a.
b.
c.

Choose Route > Static > Static Route.

In Static Route List, click Add.
On the Add Static Route page, configure the following parameters:
o Destination Address: 192.168.1.0
o Mask: 255.255.255.0
o Next Hop: 200.1.1.2
Other parameters are set to the default values.

d.

Click Apply.

Step#4
Configure IKE phase 1 and IKE phase 2.
a.
b.
c.

Choose VPN > IPSec > IKE Negotiation.

Click Phase 1.
Set IKE phase 1 parameters on the Add Phase 1 page, as shown in Figure 10-12. Among the parameters, Pre-Shared
Key is set to abcde.

Figure 10-12 Configuring IKE phase 1 of USG_A

d.

Click Apply.

e.
f.

Click
of ike_a to create IKE phase 2.
Configure IKE phase 2 parameters on the Add Phase 2 page, as shown in Figure 10-13.
Figure 10-13 Configuring IKE phase 2 of USG_A

g.

Click Apply.

Step#5
Apply the IPSec policy.
a.
b.
c.

Choose VPN > IPSec > IPSec Policy.

Click Add.
On the Add IPSec Policy page, configure the data flows to be protected by the IPSec tunnel, as shown in Figure 10-14.

Figure 10-14 Configuring on USG_A the data flows to be protected

d.

Click Apply.

Step#6
Bind the IPSec policy to interfaces.
a.
b.
c.
d.

Choose VPN > IPSec > IPSec Policy.

Click Applied to interface: - NONE - of policy1.
Select GE0/0/2 from the drop-down list.
Click Apply.

Configure USG_B.
Step#1
1.

Configure the basic parameters of the interfaces.

a. Choose Network > Interface > Interface.
b.

In Interface List, click

c.
d.

In Interface List, click

of GE0/0/1.
On the Modify GigabitEthernet Interface page, configure the following parameters:
Zone: trust
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0

of GE0/0/1.

Other parameters are set to the default values.

e.

Click Apply.

f.
g.

In Interface List, click

of GE0/0/2.
On the Modify GigabitEthernet Interface page, configure the following parameters:
Zone: untrust
IP Address: 200.10.1.1
Subnet Mask: 255.255.255.0
Other parameters are set to the default values.

h.

Click Apply.

Step#2
2.

For the USG, configure interzone packet filtering to ensure normal network communication. For the USG BSR/HSR,
this operation is not required.
a. Configure the security policy between the Local zone and the Untrust zone.
1. Choose Firewall > Security Policy > Local Policy.
2. In Local Policy, click Add to configure the following parameters:
Source Zone: untrust
Source Address: 200.1.1.0/24
Action: permit
3. Click Apply.
b. Configure the security policy between the Trust zone and the Untrust zone.
0. Choose Firewall > Security Policy > Forward Policy.
1. In Forward Policy List, click Add to configure the following parameters:
Source Zone: trust
Destination Zone: untrust
Source Address: 192.168.1.0/24
Destination Address: 10.1.1.0/24
Action: permit
2. Click Apply.
3. Choose Firewall > Security Policy > Forward Policy.
4. In Forward Policy List, click Add to configure the following parameters:
Source Zone: untrust
Destination Zone: trust
Source Address: 10.1.1.0/24
Destination Address: 192.168.1.0/24
Action: permit
5. Click Apply.

Step#3
3.

configure a static route from USG_B to network A, with the next-hop IP address of 200.10.1.2.
a. Choose Route > Static > Static Route.
b. In Static Route List, click Add.
c. On the Add Static Route page, configure the following parameters:
Destination Address: 10.1.1.0
Mask: 255.255.255.0
Next Hop: 200.10.1.2
Other parameters are set to the default values.
d.

Click Apply.

Step#4
4.

Configure IKE phase 1 and IKE phase 2.

a. Choose VPN > IPSec > IKE Negotiation.
b. Click Phase 1.
c. Configure IKE phase 1 parameters on the Add Phase 1 page, as shown in Figure 10-15. Among the
parameters, Pre-Shared Key is set to abcde.

Figure 10-15 Configuring IKE phase 1 of USG_B

d.

Click Apply.

e.
f.

Click
of ike_b to create IKE phase 2.
Configure IKE phase 2 parameters on the Add Phase 2 page, as shown in Figure 10-16.
Figure 10-16 Configuring IKE phase 2 of USG_B

g.

Click Apply.

Step#5
5.

Apply the IPSec policy.

a. Choose VPN > IPSec > IPSec Policy.
b. Click Add.
c. Figure 10-17. On the Add IPSec Policy page, configure the data flows to be protected by the IPSec tunnel, as
shown in Figure 10-17.

Figure 10-17 Configuring on USG_B the data flows to be protected

d.

Click Apply.

Step#6
6.

Bind the IPSec policy to interfaces.

a. Choose VPN > IPSec > IPSec Policy.
b. Click Applied to interface: - NONE - of policy1.
c. Select GE0/0/2 from the drop-down list.
d. Click Apply.

Configuration Verification

1. After the configuration is complete, ping an IP address of network B from network A.

The IP address can be pinged through successfully.
2. Check the establishment of a security association (SA) on USG_A and USG_B. For
example, on USG_A, if the following information is displayed, an IPSec tunnel is
established successfully.
a. Choose VPN > IPSec > Monitor.
b. In IPSec Traffic Statistics, click Refresh to view traffic statistics of all IPSec
tunnels, as shown in Figure 10-18.
Figure 10-18 Viewing IPSec traffic statistics on USG_A

c. In SA Monitoring, select IKE SA List and click Refresh to view information

about the established IKE SA, as shown in Figure 10-19.

Figure 10-19 Viewing information about IKE SA on USG_A

d. In SA Monitoring, select IPSec SA List and click Refresh to view information

about the established IPSec SA, as shown in Figure 10-20.
Figure 10-20 Viewing information about IPSec SA on USG_A

Site to Site VPN Using Cli

Item
USG_A

(1)

Data
Interface: GigabitEthernet 0/0/1
IP address: 10.1.1.1/24

(2)

Interface: GigabitEthernet 0/0/2

IP address: 202.38.163.1/24

IPSec configuration Encapsulation mode: tunnel mode

Security protocol: ESP
ESP authentication algorithm: SHA1
ESP encryption algorithm: AES
IKE negotiation mode: main mode
IKE pre-shared key: abcde
IKE authentication type: IP
IKE peer address: 202.38.169.1
IKE version: IKEv2
USG_B

(3)

Interface: GigabitEthernet 0/0/2

IP address: 202.38.169.1/24

(4)

Interface: GigabitEthernet 0/0/1

IP address: 10.1.2.1/24

IPSec configuration Encapsulation mode: tunnel mode

Security protocol: ESP

Item

Data
ESP authentication algorithm: SHA1
ESP encryption algorithm: AES
IKE negotiation mode: main mode
IKE pre-shared key: abcde
IKE authentication type: IP
IKE peer address: 202.38.163.1
IKE version: IKEv2

Step#1
For the USG, add interfaces to corresponding security zones and configure interzone packet filtering to ensure normal network
communication. Details are omitted. For the USG BSR/HSR, these operations are not required.

Step#2
Set the IP addresses of interfaces as shown in Figure 10-5 and the table that follows. Details are omitted.

Step#3
Create an advanced ACL on USG_A and USG_B to define the data flow to be protected.
# Create an ACL on USG_A to permit the traffic destined from 10.1.1.0/24 to 10.1.2.0/24.
[USG_A] acl 3000
[USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[USG_A-acl-adv-3000] quit
# Create an ACL on USG_B to permit the traffic destined from 10.1.2.0/24 to 10.1.1.0/24.
[USG_B] acl 3000
[USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
[USG_B-acl-adv-3000] quit

Step#4
Create a static route on USG_A and USG_B.
# Create on USG_A a static route to Network B, and set the next hop to 202.38.163.2
[USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2
# Create on USG_B a static route to Network A, and set the next hop to 202.38.169.2
[USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2

Step#5
Configure an IPSec proposal on USG_A and USG_B.
# Configure an IPSec proposal on USG_A.
[USG_A] ipsec proposal tran1
[USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel
# By default, the encapsulation mode is tunnel mode. If you use the default mode, skip the command for configuring the
encapsulation mode.
[USG_A-ipsec-proposal-tran1] transform esp
[USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_A-ipsec-proposal-tran1] quit
# By default, the security protocol is ESP, the ESP authentication algorithm is SHA1, and the ESP encryption algorithm is AES.
If you use the default settings, skip the commands for configuring the security protocol, authentication algorithm, and encryption
algorithm.
# Configure an IPSec proposal on USG_B.
[USG_B] ipsec proposal tran1
[USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel
# By default, the encapsulation mode is tunnel mode. If you use the default mode, skip the command for configuring the
encapsulation mode.
[USG_B-ipsec-proposal-tran1] transform esp
[USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_B-ipsec-proposal-tran1] quit
# By default, the security protocol is ESP, the ESP authentication algorithm is SHA1, and the ESP encryption algorithm is AES.
If you use the default settings, skip the commands for configuring the security protocol, authentication algorithm, and encryption
algorithm.

Step#6
Configure an IKE proposal on USG_A and USG_B.
# Configure an IKE proposal on USG_A.
[USG_A] ike proposal 10
[USG_A-ike-proposal-10] authentication-method pre-share
# The default IKE authentication method is pre-shared key authentication. If you choose to use the default IKE authentication
method, skip the command for specifying the authentication method.
[USG_A-ike-proposal-10] authentication-algorithm sha1
# The default IKE authentication algorithm is SHA1. If you choose to use the default authentication algorithm, skip the command
for specifying the authentication algorithm.
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
# The default IKE integrity algorithm is HMAC-SHA1-96. If you choose to use the default integrity algorithm, skip the
command for specifying the integrity algorithm.
[USG_A-ike-proposal-10] quit

# Configure an IKE proposal on USG_B.

[USG_B] ike proposal 10
[USG_B-ike-proposal-10] authentication-method pre-share
# The default IKE authentication method is pre-shared key authentication. If you choose to use the default IKE authentication
method, skip the command for specifying the authentication method.
[USG_B-ike-proposal-10] authentication-algorithm sha1
# The default IKE authentication algorithm is SHA1. If you choose to use the default authentication algorithm, skip the command
for specifying the authentication algorithm.
[USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96

# The default IKE integrity algorithm is HMAC-SHA1-96. If you choose to use the default integrity algorithm, skip the
command for specifying the integrity algorithm.
[USG_B-ike-proposal-10] quit

Sep#7
Configure the IKE peer.
By default, IKE peers use IKEv2.
# Configure the IKE peer on USG_A.
[USG_A] ike peer b
[USG_A-ike-peer-b] ike-proposal 10
[USG_A-ike-peer-b] remote-address 202.38.169.1
[USG_A-ike-peer-b] pre-shared-key abcde
[USG_A-ike-peer-b] quit
# Configure the IKE peer on USG_B.
[USG_B] ike peer a
[USG_B-ike-peer-a] ike-proposal 10
[USG_B-ike-peer-a] remote-address 202.38.163.1
[USG_B-ike-peer-a] pre-shared-key abcde
[USG_B-ike-peer-a] quit

Step#8
Create an IPSec policy on USG_A and USG_B.
# Create an IPSec policy on USG_A.
[USG_A] ipsec policy map1 10 isakmp
[USG_A-ipsec-policy-isakmp-map1-10]
[USG_A-ipsec-policy-isakmp-map1-10]
[USG_A-ipsec-policy-isakmp-map1-10]
[USG_A-ipsec-policy-manual-map1-10]

security acl 3000

proposal tran1
ike-peer b
quit

# Create an IPSec policy on USG_B.

[USG_B] ipsec policy map1 10 isakmp
[USG_B-ipsec-policy-isakmp-map1-10]
[USG_B-ipsec-policy-isakmp-map1-10]
[USG_B-ipsec-policy-isakmp-map1-10]
[USG_B-ipsec-policy-isakmp-map1-10]

security acl 3000

proposal tran1
ike-peer a
quit

Step#9
Apply the IPSec policies.
# On USG_A, apply the IPSec policy on interface (2).
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map1
# On USG_B, apply the IPSec policy on interface (3).
[USG_B] interface GigabitEthernet 0/0/2

[USG_B-GigabitEthernet0/0/2] ipsec policy map1

Configuration Verification
If the configurations are correct, Network A can ping network B, and after you run the display ike sa and display ipsec sa
commands on USG_A and USG_B, the output indicates that the data is encrypted. Take USG_B as an example. If the following
information is displayed, the IKE SA and IPSec SA are successfully established.