•First verify the desired Phase 1 and Phase 2 proposals exists
get ike p1-proposal
get ike p2-proposal
•If desired Phase 1 or Phase 2 proposals do not exist create them
set ike p1-proposal pre-g2-aes256-sha esp aes256 sha-1 seconds 28800
set ike p2-proposal nopfs-esp-aes256-sha esp aes256 sha-1 seconds 3600
•To configure a Route-based VPN, follow these steps
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface eth1
set ike gateway gw_1.1.1.1 address 1.1.1.1 main outgoing-interface ethernet1 preshare p@55w0rd proposal pre-g2-3des-sha
set vpn cust1vpn gateway gw_1.1.1.1 proposal nopfs-esp-3des-sha
set vpn cust1vpn bind interface tunnel.1
set vpn cust1vpn proxy-id local-ip 10.2.1.0/24 remote-ip 10.1.1.0/24 any
set vrouter trust-vr route 10.1.1.0/24 interface tunnel.1
set vrouter trust-vr route 10.1.1.0/24 interface null metric 10
set policy top name HD123456 from trust to untrust 10.2.1.0/24 10.1.1.0/24 FTP permit
set policy top name HD123456 from untrust to trust 10.1.1.0/24 10.2.1.0/24 FTP permit
save
•To configure a Policy-based VPN, follow these steps
set ike gateway gw_1.1.1.1 address 1.1.1.1 main outgoing-interface ethernet1 preshare p@55w0rd proposal pre-g2-3des-sha
set vpn cust1vpn gateway gw_1.1.1.1 proposal nopfs-esp-3des-sha
set policy top name HD123456 from trust to untrust 10.2.1.0/24 10.1.1.0/24 FTP tunnel vpn cust1vpn
set policy top name HD123456 from untrust to trust 10.1.1.0/24 10.2.1.0/24 FTP tunnel vpn cust1vpn
save
•To verify newly created Phase 1 or 2 proposals
get ike p1-proposal pre-g2-aes256-sha
get ike p2-proposal nopfs-esp-aes256-sha
•To verify newly created route based VPNs
get interface tunnel.1
get ike gateway GW_1.1.1.1
get vpn cust1vpn
get route ip 10.1.1.0
get policy id 1
get policy id 2
•To verify newly created policy based VPNs
get ike gateway GW_1.1.1.1
get vpn cust1vpn
get policy id 1
get policy id 2
Additonal config with explinations:
Creating a VPN Tunnel
Before beginning, decide on your VPN settings. DE3D F8B5 will use aggressive
Key fingerprint = AF19 FA27 2F94 998D FDB5This example 06E4 A169 4E46 mode
settings for the Phase I proposal set for 3DES and SHA-1. The preshared key will be set
to ourkey123. The Phase II proposal will also use 3DES and SHA-1. In Phase I and II, the
firewalls setup a secure encrypted communication channel by creating a shared
symmetric key using the Diffie-Hellman key exchange algorithm.
A virtual private network tunnel is not an actual tunnel. It is encrypted traffic that is
authorized to pass through the firewall. According to IETF RFC’s 2402 and 2406, IPSEC
uses two protocols. These are encapsulation security payload (ESP) using protocol 50 and
authentication header (AH) using protocol 51. IPSEC encryption can be performed using
algorithms such as DES, DES and AES while the data is authenticated using algorithms
like HMAC-MD5 and HMAC_SHA.
On newfirewall_1, create an address book entry for the newfirewall_2 network.
set address untrust "Local LAN FW2" 10.10.2.0 255.255.255.0
Now, enter the tunnel gateway for the Phase I proposal. The Phase I proposal will require
a preshared key. This alpha-numeric key is required on each firewall to create the SHA-1
hash used to authenticate the tunnel. The minimum recommended key length is eight
characters with a maximum of thirty-two.
set ike gateway "p1-FW2" ip 222.111.100.2 Aggr preshare "ourkey123" proposal
"pre-g2-3des-sha"
On newfirewall_1 the Phase II proposal will need to be set, type:
set vpn "p2-FW2" id 1 gateway "p1-FW2" no-replay tunnel idletime 0 proposal "g2-
esp-3des-sha"
If we take a closer look at the policies set above, there are two settings that need some
explanations. The first is the g2-esp-3des-sha setting. The g2 component signifies that the
tunnel is using perfect forward secrecy using Diffie-Hellman key exchange group 2 with
the later part specifying 3DES encryption and SHA authenticaton.
After the Phase I & II proposals are set, the inbound and outbound policies will need to
be established.
set policy incoming "Local LAN FW2" "Local LAN" "ANY" Tunnel vpn "p2-FW2" log
set policy outgoing "Local LAN" "Local LAN FW2" "ANY" Tunnel vpn "p2-FW2" log