USG FLEX H Series [Firewall] - IPSec Site-to-Site VPN one Site is behind a NAT

This example demonstrates how to use the VPN Setup Wizard to establish an IPSec Site-to-Site VPN tunnel between USG FLEX H devices. It provides instructions on configuring the VPN tunnel for each site, even when one site is behind a NAT router. Once the IPSec Site-to-Site VPN tunnel is set up, both sites can be accessed securely.

Disclaimer!

This article offers a general overview of the series and may not apply uniformly to every model. Before purchasing or using the device, please consult the model-specific documentation or reach out to technical support for accurate information.

Note: Please ensure that you have NAT mapping UDP port 4500 to the USG FLEX H device

Set up IPSec VPN Tunnel for HQ Office

VPN > IPSecVPN > Site to Site VPN > Add
  • Type the VPN "Name" used to identify this VPN connection
  • Select the "Behind NAT" to the "Remote Site"
  • Click "Next"

  • Configure "My Address" - here it is possible to select the interface or manually enter the IP address
  • Click "Next"

  • Type a secure "Pre-Shared Key"
  • Click "Next"

Configure the Local Subnet to be the IP address of the network connected to the gateway. Set the Remote Subnet to be the IP address of the network connected to the peer gateway. Make sure that the Local Firewall and the Remote Firewall have different subnets to prevent any conflicts between the local and remote sites.

 

Summary

The screen provides a summary of the VPN tunnel. You can edit it if you want to modify it.

Set up IPSec VPN Tunnel for Branch

VPN > IPSecVPN > Site to Site VPN > Add
  • Type the VPN name used to identify this VPN connection
  • Switch "Behind NAT" to the "Local Site"
  • Click "Next"


  • Configure "My Address"
  • Configure "Peer Gateway Address"
  • Click "Next"

  • Configure "My Address
  • Configure "Peer Gateway Address"
  • Click "Next"

  • Type a secure "Pre-Shared Key"
  • Click "Next"

  • Set Local Subnet to be the IP address of the network connected to the gateway and
    Remote Subnet to be the IP address of the network connected to the peer gateway
  • Click "Finish"

Test IPSec VPN Tunnel

VPN Status > IPSec VPN

Ping the PC in the Branch Office
Win 11 > cmd > ping 192.168.160.1

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.