Home >Documents >Security Tutorial v3.1.1 > 2. Operation > 2.2. Managed Firewall / Managed UTM Version2 >2.2.31. IPsec VPN configuration example

2.2.31. IPsec VPN configuration example

Describe a configuration example of Managed Firewall / UTM with IPsec VPN

2.2.31.1. Use case (IPsec VPN over the Internet)

Below is the use case.
<example> It is configured to connect IPsec VPN via the Internet and enable communication between Tenants.

configuration example


2.2.31.2. Condition

When Managed FW/UTM communicates via IPsec VPN via the Internet, it is necessary to use Internet Gateway.
In addition, Managed FW/UTM uses the IP address of the interface set for itself to negotiate with the other device, so it is necessary to assign a global IP address to the interface.

It is assumed that the following work corresponding to other use cases has been completed.
Create Managed Firewall/UTM
Managed Firewall/UTM interface setting/connection to logical network
Managed Firewall/UTM routing settings (default gateway setting)
• Destination IP :0.0.0.0
• Subnet Mask :0.0.0.0
•Gateway address: Gateway IPv4 address of Internet-GW (eg 1.1.1.1)
•Interface: Port for setting the default gateway (Example: Port4)

Note

  • Managed Firewall/UTM requires one global IP address.
    Since Internet Gateway is redundant with VRRP and three global IP addresses are required, it is necessary to prepare a total of four global IP addresses.
    Therefore, when creating a logical network, it is necessary to create it with /29 or more that can prepare 4 host addresses.

  • IPsec VPN can be used only in a single configuration due to Managed Firewall/UTM specifications. It can not be used with HA configuration.


Below is an example of Managed FW/UTM setting on Tenant_A side.


2.2.31.3. Setting procedure ①-1 IPsec setting

For details of IPsec setting, please see :doc: 4901_ipsec_configuration .
Create a Tunnel interface from the IPsec Setting.
After inputting setting values, press the [ Save ] button.
IPsec Setting 01

Items

Setting value

Interface

 port4
Proposal (Phase1)

Optional (Up to 9 selectable)

DH Group (Phase 1)

Optional (Up to 3 selectable)
Remote Gateway 2.2.2.4
Pre-Shared Key

Test@1234 (example)
Proposal (Phase2)

Optional (Up to 9 selectable)

DH Group (Phase 2)

Optional (Up to 3 selectable)

Note

  • The character string entered in the Pre-shared key must match the counterpart device.

  • At least one Proposal / DH Group value must be set to match the opposite device.


Please save [change] on the device management screen and reflect the IPsec setting.
変更の保存


2.2.31.4. Setting procedure ② - 1 IPsec routing

For details on IPsec routing, please see IPsec Routing .
Create a static route destined for the Tunnel interface with IPsec Routing.
After inputting setting values, press the [ Save ] button.
IPsec Routing 01

Items

Setting value

Destination IP Address

 192.168.2.0

Subnet Mask

 255.255.255.0
Blackhole Routing Disable

Interface

Tunnel 1

Also, if the Tunnel interface goes down, the route information destined for Tunnel disappears, so packets are forwarded to the default route.
By setting the routing with Blackhole Routing enabled, it is possible to prevent unexpected packet forwarding when the Tunnel goes down.
After inputting setting values, press the [ Save ] button.
IPsec Routing 02

Items

Setting value

Destination IP Address

 192.168.2.0

Subnet Mask

 255.255.255.0
Blackhole Routing

Enable

Note

  • When configuring Blackhole Routing, make sure the value of Destination IP/Subnet Mask to be entered matches the routing setting addressed to Tunnel Interface.

Please do [Save changes] on the device management screen and reflect the routing setting.
変更の保存


2.2.31.5. Setting procedure ③-1 IPsec policy

For details on the IPsec policy, please see IPsec Policy .
Create a policy for the Tunnel interface with IPsec Policy.
In the following example, creating an authorization policy for HTTP from inside to Tunnel.
After inputting setting values, press the [ Save ] button.
IPsec Policy 01

Items

Setting value

Enable

Presence of check

Incoming Interface

 port5

Source Address

 all

Outgoing Interface

Tunnel 1

Destination Address Type

 Address Object
Destination Address all

Service

 HTTP
Action Accept

NAT

Absence of check

Log

Any item
Please do [Save Changes] in Device Management and reflect firewall policy.
変更の保存
This completes the setting of Managed FW/UTM on Tenant_A side.
In the same way, please set Managed FW/UTM on Tenant_B side.

Note

  • In order to allow communication via Tunnel, it is necessary to set the IPsec Policy in the same way (Tenant_B) Managed Firewall/UTM as well.
    [When allowing communication from Tenant_A to Tenant_B]
    Tenant_A FW/UTM / Incoming Interface: port 5, Outgoing Interface: Tunnel 1, Action: Create Accept communication permission policy
    Tenant_B FW/UTM / Incoming Interface: Tunnel 1, Outgoing Interface: port 5, Action: Create Accept communication permission policy
    [When allowing communication from Tenant_B to Tenant_A]
    Tenant_B FW/UTM / Incoming Interface: port 5, Outgoing Interface: Tunnel 1, Action: Create Accept communication permission policy
    Tenant_A FW/UTM / Incoming Interface: Tunnel 1, Outgoing Interface: port 5, Action: Create Accept communication permission policy


2.2.31.6. Confirmation of Tunnel up after setting is completed

You can check the status of Tunnel after setting is done from IPsec Status View.
IPsec Status 01
For details on IPsec Status View, please see IPsec Status View .
2.2.30.9. NAT configuration example for using common functions through Managed FW
2.2.32. How to read the export file