End-of-Life (EoL)

Site-to-Site VPN with Static Routing

The following example shows a VPN connection between two sites that use static routes. Without dynamic routing, the tunnel interfaces on VPN Peer A and VPN Peer B do not require an IP address because the firewall automatically uses the tunnel interface as the next hop for routing traffic across the sites. However, to enable tunnel monitoring, a static IP address has been assigned to each tunnel interface.
vpn-site-to-site.png
  1. Configure a Layer 3 interface.
    This interface is used for the IKE phase-1 tunnel.
    1. Select
      Network
      Interfaces
      Ethernet
      and then select the interface you want to configure for VPN.
    2. Select
      Layer3
      from the
      Interface Type
      drop-down.
    3. On the
      Config
      tab, select the
      Security Zone
      to which the interface belongs:
      • The interface must be accessible from a zone outside of your trust network. Consider creating a dedicated VPN zone for visibility and control over your VPN traffic.
      • If you have not yet created the zone, select
        New Zone
        from the
        Security Zone
        drop-down, define a
        Name
        for the new zone and then click
        OK
        .
    4. Select the
      Virtual Router
      to use.
    5. To assign an IP address to the interface, select the
      IPv4
      tab, click
      Add
      in the IP section, and enter the IP address and network mask to assign to the interface, for example 192.168.210.26/24.
    6. To save the interface configuration, click
      OK
      .
      In this example, the configuration for VPN Peer A is:
      • Interface
        —ethernet1/7
      • Security Zone
        —untrust
      • Virtual Router
        —default
      • IPv4
        —192.168.210.26/24
      The configuration for VPN Peer B is:
      • Interface
        —ethernet1/11
      • Security Zone
        —untrust
      • Virtual Router
        —default
      • IPv4
        —192.168.210.120/24
  2. Create a tunnel interface and attach it to a virtual router and security zone.
    1. Select
      Network
      Interfaces
      Tunnel
      and click
      Add
      .
    2. In the
      Interface Name
      field, specify a numeric suffix, such as
      .1
      .
    3. On the
      Config
      tab, expand the
      Security Zone
      drop-down to define the zone as follows:
      • To use your trust zone as the termination point for the tunnel, select the zone from the drop-down.
      • (Recommended) To create a separate zone for VPN tunnel termination, click
        New Zone
        . In the Zone dialog, define a
        Name
        for new zone (for example
        vpn-tun
        ), and then click
        OK
        .
    4. Select the
      Virtual Router
      .
    5. (
      Optional
      ) Assign an IP address to the tunnel interface, select the
      IPv4
      or
      IPv6
      tab, click
      Add
      in the IP section, and enter the IP address and network mask to assign to the interface.
      With static routes, the tunnel interface does not require an IP address. For traffic that is destined to a specified subnet/IP address, the tunnel interface will automatically become the next hop. Consider adding an IP address if you want to enable tunnel monitoring.
    6. To save the interface configuration, click
      OK
      .
      In this example, the configuration for VPN Peer A is:
      • Interface
        —tunnel.10
      • Security Zone
        —vpn_tun
      • Virtual Router
        —default
      • IPv4
        —172.19.9.2/24
      The configuration for VPN Peer B is:
      • Interface
        —tunnel.11
      • Security Zone
        —vpn_tun
      • Virtual Router
        —default
      • IPv4
        —192.168.69.2/24
  3. Configure a static route, on the virtual router, to the destination subnet.
    1. Select
      Network
      Virtual Router
      and click the router you defined in the prior step.
    2. Select
      Static Route
      , click
      Add
      , and enter a new route to access the subnet that is at the other end of the tunnel.
      In this example, the configuration for VPN Peer A is:
      • Destination
        —192.168.69.0/24
      • Interface
        —tunnel.10
      The configuration for VPN Peer B is:
      • Destination
        —172.19.9.0/24
      • Interface
        —tunnel.11
  4. Set up the Crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase 2).
    Complete this task on both peers and make sure to set identical values.
    1. Select
      Network
      Network Profiles
      IKE Crypto
      . In this example, we use the default profile.
    2. Select
      Network
      Network Profiles
      IPSec Crypto
      . In this example, we use the default profile.
  5. Set up the IKE Gateway.
    1. Select
      Network
      Network Profiles
      IKE Gateway.
    2. Click
      Add
      and configure the options in the
      General
      tab
      .
      In this example, the configuration for VPN Peer A is:
      • Interface
        —ethernet1/7
      • Local IP address
        —192.168.210.26/24
      • Peer IP type/address
        —static/192.168.210.120
      • Preshared keys
        —enter a value
      • Local identification
        —None; this means that the local IP address will be used as the local identification value.
      The configuration for VPN Peer B is:
      • Interface
        —ethernet1/11
      • Local IP address
        —192.168.210.120/24
      • Peer IP type/address
        —static/192.168.210.26
      • Preshared keys
        —enter same value as on Peer A
      • Local identification
        —None
    3. Select
      Advanced Phase 1 Options
      and select the IKE Crypto profile you created earlier to use for IKE phase 1.
  6. Set up the IPSec Tunnel.
    1. Select
      Network
      IPSec Tunnels
      .
    2. Click
      Add
      and configure the options in the
      General
      tab
      .
      In this example, the configuration for VPN Peer A is:
      • Tunnel Interface
        —tunnel.10
      • Type
        —Auto Key
      • IKE Gateway
        —Select the IKE Gateway defined above.
      • IPSec Crypto Profile
        —Select the IPSec Crypto profile defined in 4.
      The configuration for VPN Peer B is:
      • Tunnel Interface
        —tunnel.11
      • Type
        —Auto Key
      • IKE Gateway
        —Select the IKE Gateway defined above.
      • IPSec Crypto Profile
        —Select the IPSec Crypto defined in 4.
    3. (
      Optional
      ) Select
      Show Advanced Options
      , select
      Tunnel Monitor
      , and specify a Destination IP address to ping for verifying connectivity. Typically, the tunnel interface IP address for the VPN Peer is used.
    4. (
      Optional
      ) To define the action on failure to establish connectivity, see Define a Tunnel Monitoring Profile.
  7. Create policies to allow traffic between the sites (subnets).
    1. Select
      Policies
      Security
      .
    2. Create rules to allow traffic between the untrust and the vpn-tun zone and the vpn-tun and the untrust zone for traffic originating from specified source and destination IP addresses.
  8. Save any pending configuration changes.
    Click
    Commit
    .
  9. Test VPN connectivity.

Recommended For You