In this article, we will take a look at how You can set up a Site to Site VPN between 2 Firewalls.
In case You are looking for other VPN Scenarios Tipps and Tricks, have a look at the following Articles.
An office wants to connect securely to its headquarters through the internet. Both offices have a USG / ZyWall / ATP / USG FLEX to access the internet.
1. Login to the USG on Site A
2. Add a VPN Gateway
Configuration > VPN > IPSec VPN > VPN Gateway > Add
- Enter the name of the VPN Gateway
- Choose the outgoing interface in “My Address” (i.e. WAN1)
- Configure the Peer Gateway Address according to the gateway of Site B (Public IP)
- Enter a pre-shared key
- Set Phase 1 proposals as desired. For security reasons choose a strong password and also proposals which has a good encryption/Authentication, for example, AES256 as encryption, SHA512 as authentication and DH14 as a key group
3. Add a VPN tunnel
Configuration > VPN > IPSec VPN > VPN Connection > Add
- Enable and name the rule
- Tick "Site-to-Site" and select the created VPN gateway
- Set the local and remote policy
- Create a new or use and existing address object for the remote network
- Click on "Create new Object" choose IPv4 Address
Note: Please check first if the IP address of the remote subnet does not already exist on the local subnet to avoid double IP address configuration. When the remote subnet is similar to one local subnet you will only be able to reach the local network.
- Click on "Show Advanced Settings" and make sure that the phase 2 settings are the same as phase 1
settings. (i.e. AES256, SHA512)
4. Login to the USG on Site B
5. Add a VPN Gateway
Configuration > VPN > IPSec VPN > VPN Gateway
- Repeat Step 2 to configure the gateway according to Site A (Public IP)
- Note that the pre-shared key and phase 1 and 2 settings match with Site A
6. Add a VPN Tunnel
Configuration > VPN > IPSec VPN > VPN Connection
- Repeat Step 3 to configure the VPN Tunnel according to Site A
- Tick the "Nailed-Up" Option in order for the VPN tunnel to automatically establish and connect itself
- Select the desired VPN Gateway as well as the local and remote policy
7. Test the result
- Connect the VPN tunnel the first time manually. Afterwards, it should rescan connectivity and reconnect automatically
- You can see that the VPN Tunnel is connected when the earth symbol is blue
Check your firewall rules to ensure the default IPSec-to-Device and IPSec-to-Any rules exist.
Otherwise, it's possible that the traffic between the tunnels will get blocked.
Now new on the ATP and USG FLEX Firewalls is the Quick Setup Wizard.
You can choose between the Express (VPN with default Values) or Advanced (Manual Setting of cryptography etc...).
For the brevity of this Article, we choose the "Express" Option.
Here we chose the VPN Type we want to set.
And enter the Details of the VPN:
Public IP or FQDN of the Remote Gateway, PSK, local and remote Subnet.
Now we can save the config and get the configuration script for the remote gateway.
To use that script, please check the following Article.
Please note that you need to set one of the Gateways connections to "Nailed up".
Do you want to look directly at one of our test devices? Have a look here in our virtual Lab:
Virtual LAB - Site to Site VPN
For a more detailed description please see our video: