Urgent! Security Advisory Notification - Firmware Upgrade advise for optimal protection & VPN and GUI Stability Issues

Read Article
English Български Čeština Dansk Deutsch Español Suomi Français Magyar Italiano Nederlands Norsk Polski Română Русский Slovenčina svenska Türkçe

VPN - Configure IPSec Site-To-Site VPN Site to Site icon

Avatar
  • Updated
Back to top

In this article, we will take a look at how You can set up a Site to Site VPN between two Firewalls using both manual configuration and via the built-in Wizard. This guide is both for IKEv1 and IKEv2 IPSec s2s VPN. Also, how to configure the VPN with several/additional/another/other subnets in the same VPN tunnel and show ciphers available.

 

Table of Content

1) Configure Site A Firewall 

1.1 Login to the USG on Site A

1.2 Add a VPN Gateway 

1.3 Add a VPN tunnel

2) Configure Site B Firewall

2.1 Login to the USG on Site B

2.2 Add a VPN Gateway

2.3 Add a VPN Tunnel

2.4 Test the result

3) Wizard Method

4) Limitation - Use several subnets

5) Troubleshooting

 

In case You are looking for other VPN Scenarios Tips and Tricks, have a look at the following articles:

General:

VPN Guideline - Choosing the right VPN-type for your Home-Office (+Useful Links & Tutorials)

VPN Configuration Provisioning on a USG-Firewall

USG/ATP/VPN Series - VPN connection Failover setup

 

Nebula:

Building up a Site-to-Site VPN in Nebula between two Nebula Gateways (NSG)

 

Scenario

An office wants to connect securely to its headquarters through the internet. Both offices have a USG / ZyWall / ATP / USG FLEX to access the internet.

19.PNG

 

1) Configure Site A Firewall

1.1 Login to the USG on Site A

 

mceclip6.png

 

1.2 Add a VPN Gateway 

Configuration > VPN > IPSec VPN > VPN Gateway > Add

- Enter the name of the VPN Gateway

- Choose the outgoing interface in “My Address” (i.e. WAN1)

- Configure the Peer Gateway Address according to the gateway of Site B (Public IP)

 

mceclip0.png

 

- Enter a pre-shared key

- Set Phase 1 proposals as desired. For security reasons choose a strong password and also proposals which has a good encryption/Authentication, for example, AES256 as encryption, SHA512 as authentication and DH14 as a key group

 

mceclip1.png

 

1.3 Add a VPN tunnel

Configuration > VPN > IPSec VPN > VPN Connection > Add

- Enable and name the rule

- Tick "Site-to-Site" and select the created VPN gateway

- Set the local and remote policy 

 

mceclip2.png

 

- Create a new or use and existing address object for the remote network

- Click on "Create new Object" choose IPv4 Address

 

Note: Please check first if the IP address of the remote subnet does not already exist on the local subnet to avoid double IP address configuration. When the remote subnet is similar to one local subnet you will only be able to reach the local network.

 

mceclip3.png

mceclip4.png

 

- Click on "Show Advanced Settings" and make sure that the phase 2 settings are the same as phase 1
settings. (i.e. AES256, SHA512)

mceclip5.png

 

2) Configure Site B Firewall

2.1 Login to the USG on Site B

 

mceclip6.png

 

2.2 Add a VPN Gateway

Configuration > VPN > IPSec VPN > VPN Gateway

- Repeat Step 2 to configure the gateway according to Site A (Public IP)

- Note that the pre-shared key and phase 1 and 2 settings match with Site A

 

2.3 Add a VPN Tunnel

Configuration > VPN > IPSec VPN > VPN Connection

- Repeat Step 3 to configure the VPN Tunnel according to Site A

- Tick the "Nailed-Up" Option in order for the VPN tunnel to automatically establish and connect itself

- Select the desired VPN Gateway as well as the local and remote policy

 

2.4 Test the result

 

- Connect the VPN tunnel the first time manually. Afterwards, it should rescan connectivity and reconnect automatically

- You can see that the VPN Tunnel is connected when the earth symbol is blue

 

18.PNG

 

Note:
Check your firewall rules to ensure the default IPSec-to-Device and IPSec-to-Any rules exist.
Otherwise, it's possible that the traffic between the tunnels will get blocked.
Screenshot_2021-05-26_173435.png

 

3) Wizard Method

Now new on the ATP and USG FLEX Firewalls is the Quick Setup Wizard.

mceclip0.png

 

You can choose between the Express (VPN with default Values) or Advanced (Manual Setting of cryptography etc...).
For the brevity of this Article, we choose the "Express" Option.

mceclip1.png

 

Here we chose the VPN Type we want to set.

mceclip2.png

 

And enter the Details of the VPN:
Public IP or FQDN of the Remote Gateway, PSK, local and remote Subnet.

mceclip3.png

 

Now we can save the config and get the configuration script for the remote gateway.

mceclip4.png

 

To use that script, please check the following Article.

USG Series - Basic Scripting

Please note that you need to set one of the Gateways connections to "Nailed up".

 

Interesting:
Do you want to look directly at one of our test devices? Have a look here in our virtual Lab:
Virtual LAB - Site to Site VPN

 

For a more detailed description please see our video:

 

4) Limitation - Use several subnets

On Zyxel firewalls, there is a limitation where you cannot select several subnets in a VPN tunnel. The local policy (subnet) and remote policy (subnet) can only be configured with one subnet each. 

Configure -> VPN -> IPSec VPN -> VPN Connection -> Policy

To go around this issue, you can configure a policy route to route another subnets into the tunnel manually. 

Create this policy route

 

Note! It might be needed to route the response packets back through the tunnel on the remote site. 

 

5) Troubleshooting

If you are unsure about what ciphers the firewall is using. Please use this command:

 

Router# configure terminal
Router(config)# no ip http secure-server strong-cipher
Router(config)# show ip http server secure cipher-list

 

 

Contact Us

Related articles

Comments

2 comments

Sort by Date Votes

Please sign in to leave a comment.