Topology of the zones configured on the security
device in Tokyo.
Trust
Zone Untrust-TunZone UntrustZone Tokyo
Topology of the zones configured on the security
device in Paris. Trust Zone Untrust-Tun Zone Untrust Zone Tokyo Paris Paris Outgoing Interface Untrust Zone ethernet3, 1.1.1.1/24 Gateway 1.1.1.250 Outgoing Interface Untrust Zone ethernet3, 2.2.2.2/24 Gateway 2.2.2.250 Tokyo Trust Zone ethernet1, 10.1.1.1/24 Paris Trust Zone ethernet1, 10.2.2.1/24 VPN Tunnel Internet
To set up the tunnel, perform the following five steps on the security devices at both ends of the tunnel:
1. Assign IP addresses to the physical interfaces bound to the security zones.
2. Configure the VPN tunnel, and designate its outgoing interface in the Untrust zone.
3. Enter the IP addresses for the local and remote endpoints in the Trust and Untrust address books.
4. Enter a default route to the external router.
5. Set up policies for VPN traffic to pass bidirectionally through the tunnel.
WebUI (Tokyo)
1. Interfaces
Network > Interfaces > Edit (for ethernet1): Enter the following, then clickApply:
Zone Name: Trust
Static IP: (select this option when present) IP Address/Netmask: 10.1.1.1/24
Select the following, then clickOK:
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, then clickOK:
Zone Name: Untrust
Static IP: (select this option when present) IP Address/Netmask: 1.1.1.1/24
2. Addresses
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: Trust_LAN IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.0/24 Zone: Trust
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: Paris_Office IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.0/24 Zone: Untrust
3. VPN
VPNs > Manual Key > New: Enter the following, then clickOK:
VPN Tunnel Name: Tokyo_Paris Gateway IP: 2.2.2.2
Security Index: 3020 (Local), 3030 (Remote) Outgoing Interface: ethernet3
ESP-CBC: (select)
Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a
> Advanced: Enter the following advanced settings, then clickReturnto return to the basic Manual Key tunnel configuration page:
Bind to: Tunnel Zone, Untrust-Tun
4. Route
Network > Routing > Routing Entries > trust-vr New: Enter the following, then click OK: Network Address/Netmask: 0.0.0.0/0 Gateway: (select) Interface: ethernet3 Gateway IP Address: 1.1.1.250 5. Policies
Policies > (From: Trust, To: Untrust) New: Enter the following, then clickOK:
Name: To/From Paris Source Address:
Address Book Entry: (select), Trust_LAN Destination Address:
Address Book Entry: (select), Paris_Office Service: ANY
Action: Tunnel
Tunnel VPN: Tokyo_Paris
Modify matching bidirectional VPN policy: (select) Position at Top: (select)
WebUI (Paris)
1. Interfaces
Network > Interfaces > Edit (for ethernet1): Enter the following, then clickApply:
Zone Name: Trust
Static IP: (select this option when present) IP Address/Netmask: 10.2.2.1/24
Select the following, then clickOK:
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, then clickOK:
Zone Name: Untrust
Static IP: (select this option when present) IP Address/Netmask: 2.2.2.2/24
2. Addresses
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: Trust_LAN IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.0/24 Zone: Trust
Address Name: Tokyo_Office IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.0/24 Zone: Untrust
3. VPN
VPNs > Manual Key > New: Enter the following, then clickOK:
VPN Tunnel Name: Paris_Tokyo Gateway IP: 1.1.1.1
Security Index (HEX Number): 3030 (Local), 3020 (Remote) Outgoing Interface: ethernet3
ESP-CBC: (select)
Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a
> Advanced: Enter the following advanced settings, then clickReturnto return to the basic Manual Key tunnel configuration page:
Bind to: Tunnel Zone, Untrust-Tun
4. Route
Network > Routing > Routing Entries > trust-vr New: Enter the following, then click OK: Network Address/Netmask: 0.0.0.0/0 Gateway: (select) Interface: ethernet3 Gateway IP Address: 2.2.2.250 5. Policies
Policies > (From: Trust, To: Untrust) New: Enter the following, then clickOK:
Name: To/From Tokyo Source Address:
Address Book Entry: (select), Trust_LAN Destination Address:
Address Book Entry: (select), Tokyo_Office Service: ANY
Action: Tunnel
Tunnel VPN: Paris_Tokyo
Modify matching bidirectional VPN policy: (select) Position at Top: (select)
CLI (Tokyo)
1. Interfaces
set interface ethernet1 zone trust set interface ethernet1 ip 10.1.1.1/24 set interface ethernet1 nat
set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24
set address trust Trust_LAN 10.1.1.0/24 set address untrust paris_office 10.2.2.0/24
3. VPN
set vpn tokyo_paris manual 3020 3030 gateway 2.2.2.2 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a
set vpn tokyo_paris bind zone untrust-tun
4. Route
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250
5. Policies
set policy top name “To/From Paris” from trust to untrust Trust_LAN paris_office any tunnel vpn tokyo_paris
set policy top name “ To/From Paris” from untrust to trust paris_office Trust_LAN any tunnel vpn tokyo_paris
save CLI (Paris)
1. Interfaces
set interface ethernet1 zone trust set interface ethernet1 ip 10.2.2.1/24 set interface ethernet1 nat
set interface ethernet3 zone untrust set interface ethernet3 ip 2.2.2.2/24
2. Addresses
set address trust Trust_LAN 10.2.2.0/24 set address untrust tokyo_office 10.1.1.0/24
3. VPN
set vpn paris_tokyo manual 3030 3020 gateway 1.1.1.1 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a
set vpn paris_tokyo bind zone untrust-tun
4. Route
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 2.2.2.250
5. Policies
set policy top name “To/From Tokyo” from trust to untrust Trust_LAN tokyo_office any tunnel vpn paris_tokyo
set policy top name “ To/From Tokyo” from untrust to trust tokyo_office Trust_LAN any tunnel vpn paris_tokyo
save