In the example below we are setting up a VPN between 2 offices.
Step 1: Create VPN Gateway
1. Click VPN from the Menu Bar
2. Click Branch Office Gateway
3. Click Add
4. Type Gateway Name (i.e Gateway to RemoteOffice)
5. Enter Pre-shared key
6. Underneath Gateway Endpoints Click Add
7. Under Local Gateway enter Public IP Address of External Interface
8. Select Correct External Interface (if you have more than 1)
9. Under Remote Gateway enter the Public IP address of the firewall on the remote site
Enter the same IP address under the gateway ID
10. Then click ok
11. Select Phase1 Settings tab
12. Set Mode to Main
13. Uncheck Nat Traversal and IKE Keep-alive and select Dead Peer Detection
14. Under Transform Settings select SHA1-DES and click Edit
15. Set SA Life to 24 Hours
16. Click OK
17. Click OK
18. Click Close
Step 2: Create VPN Tunnel
1. Click VPN from the Menu Bar and select Branch Office Tunnels
2. Click Add
3. Type Tunnel Name (i.e. Tunnel to Remote Office)
4. On the Addresses tab Click Add
5. Local > Enter the Network IP of the Local network
6. Remote > Enter the Network IP of the Remote network
7. Click OK
8. Click On Phase2 Settings tab
9. Select IpSec Proposal listed and click Remove
10. Click Add
11. Select Create a new Proposal and match the settings as per below. Note – I would actually choose 128-bit encryption as 256 bit creates a fair bit of overhead.
12. Click OK
13. Click OK
14. Click Close
The VPN has been configured
Step 3: Configure VPN Failover (optional)
To configure manual BOVPN tunnels to fail over to a backup endpoint, you must define more than one set of local and remote endpoints (gateway pairs) for each gateway.
For complete failover functionality for a VPN configuration, you must define gateway pairs for each combination of external interfaces on each side of the tunnel. For example, suppose your primary local endpoint is 18.104.22.168/24 with a backup of 22.214.171.124/24. Your primary remote endpoint is 126.96.36.199/24 with a backup of 188.8.131.52/24. For complete VPN Failover, you would need to define these four gateway pairs:
184.108.40.206 – 220.127.116.11
18.104.22.168 – 22.214.171.124
126.96.36.199 – 188.8.131.52
184.108.40.206 – 220.127.116.11
1. Select VPN > Branch Office Gateways. Click Add to add a new gateway. Give the gateway a name and define the credential method, as described in Configure Gateways.
2. In the Gateway Endpoints section of the New Gateway dialog box, click Add.
3. Specify the location of the local and remote gateways. Select the external interface name that matches the local gateway IP address or domain name you add.
You can add both a gateway IP address and gateway ID for the remote gateway. This can be necessary if the remote gateway is behind a NAT device and requires more information to authenticate to the network behind the NAT device.
4. Click OK to close the New Gateway Endpoints Settings dialog box.
The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints.
5. Repeat this procedure to define additional gateway pairs. You can add up to nine gateway pairs. You can select a pair and click Up or Down to change the order in which the Firebox or XTM device attempts connections.
6. Click OK.