Assumptions:
All traffic from corporate network 10.0.0.0/8 will be seen on 3rd party as 10.131.12.65
Only connections initiated from our network are allowed.(one-directional vpn) – “users from 3rd party does not see our hosts but can respond”
Only traffic to 94.17.25.128/25 remote network is allowed via vpn tunnel.
CONFIGURATION
Phase 1 Proposal
Authentication Method | Pre-Shared Key |
DH Group | 2 |
Encryption Algorithm | AES-256 |
Hash Algorithm | SHA-1 |
Lifetime | 28800 seconds |
Mode | Main Mode |
Phase 2 Proposal
PFS | DH group2 |
Encapsulation | ESP |
Encrytion Algorithm | AES-256 |
Authentication Algorithm | SHA-1 |
Lifetime | 3600 seconds |
Encryption Domain(*) | remote network : 94.17.25.128 /25
our network : 10.131.12.64 /27 |
- set ike-phase 1 proposal and ike-phase2 proposal
PHASE 1
set ike p1-proposal “pre-g2-aes256-sha” preshare group2 esp aes256 sha-1 second 28800
PHASE 2
set ike p2-proposal “3rdparty” group2 esp aes256 sha-1 second 3600
- configure vpn
set ike gateway “3rd-pri-resource_link” address 12.90.64.9 Main outgoing-interface “ethernet0/9” preshare “secret!!!” proposal “pre-g2-aes256-sha”
set vpn “3rd-pri-resource_link” gateway “3rd-pri-resource_link” replay tunnel idletime 0 proposal “3rdparty”
- set tunnel interface
set interface tunnel.1 zone “Untrust”
set interface tunnel.1 ip 10.131.12.65/27
- bind vpn tunnel to tunnel.1 interface
set vpn “3rd-pri-resource_link” bind interface tunnel.1
- set route for traffic which should go to tunnel
set route 94.17.25.128 255.255.255.128 interface tunnel.1
- set address
set address “Untrust” “94.17.25.128/25” 94.17.25.128 255.255.255.128 “3rd party address”
- set policy to nat all traffic coming to 94.17.25.128/25 network to interface IP(10.131.12.65)
set policy id x from “Trust” to “Untrust” “Any” “94.17.25.128/25” “ANY” nat src permit
- configure which traffic should be go via vpn tunnel
set vpn “3rd-pri-resource_link” proxy-id local-ip 10.131.12.64/27 remote-ip 94.17.25.128/25 “ANY”
- test vpn connection
- monitor vpn
->get sa
total configured sa: 62
HEX IDÂ Â Â Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000078< 12.90.64.9 500 esp:a256/sha1 84f2aaa3 3574 unlim A/- -1 0
00000078> 12.90.64.9 500 esp:a256/sha1 318f6414 3574 unlim A/- -1 0
-> get sa id 0x78
index 61, name XXX, peer gateway ip 12.90.64.9. vsys
auto key. tunnel if binding node, tunnel mode, policy id in: out: vpngrp:. sa_list_nxt:.
tunnel id 120, peer id 6, NSRP Local.    site-to-site. Local interface is ethernet0/9 .
esp, group 2, a256 encryption, sha1 authentication
autokey, IN active, OUT active
monitor, latency: 0, availability: 0
DF bit: clear
app_sa_flags: 0x400067
proxy id: local 10.131.12.64/255.255.255.224, remote 94.17.25.128/255.255.255.128, proto 0, port 0
ike activity timestamp: -2089671524
DSCP-mark : disabled
nat-traversal map not available
incoming: SPI 84f2aac6, flag 00004000, tunnel info 40000078, pipeline
life 3600 sec, 2535 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x15, window 0x1fffff, idle timeout value , idled 1018 seconds
next pak sequence number: 0x0
bytes/paks:1650/38; sw bytes/paks:1650/38
outgoing: SPI 5c8f6414, flag 00000000, tunnel info 40000078, pipeline
life 3600 sec, 2535 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value , idled 1018 seconds
next pak sequence number: 0x1d
bytes/paks:2206/48; sw bytes/paks:2206/48
dzbanek 2012-12-28