IPSec VPN configuration overview
To configure a site-to-site IPSec VPN, two devices (the G450 and a peer Gateway) must be
configured symmetrically.
In some cases, you may wish to configure global VPN parameters (see
parameters
on page 524).
Note:
In the following sections, all IPSec VPN parameters that you must configure are
Note:
indicated as mandatory parameters. Non-mandatory VPN parameters have default
values that are used unless otherwise set. Thus for example, although it is mandatory
to define at least one ISAKMP policy, it is not mandatory to set the values for that
ISAKMP policy since the G450 contains default ISAKMP policy settings.
Coordinating with the VPN peer
Before commencing IPSec VPN configuration, you must resolve jointly with your VPN peer the
basic parameters so that IPSec VPN can be set up symmetrically in the two peers. If the IPSec
VPN configuration in the two peers does not match, no VPN is created.
Note:
If you will be defining a peer-group which maintains a list of redundant peers,
Note:
each of the peers in the group must be configured to match the G450.
The basic parameters include:
The IKE phase 1 parameters (as defined in the ISAKMP policy, see
●
policies
on page 512)
The IKE phase 2 parameters (as defined in the transform-set, see
●
transform-sets
The ISAKMP peer parameters (see
●
Which packets should be secured (as defined in the crypto list, see
●
lists
on page 520)
The peer addresses. For each peer, the local address entered in the crypto list (see
●
Configuring crypto lists
peer (see
NAT Traversal, if your installation includes one or more NAT devices between the local and
●
remote VPN peers. See
See
IPSec VPN logging
both peers so as to pinpoint the problem in case of a mismatch between the two peers.
on page 513)
on page 520) should match the ISAKMP peer address in the other
Configuring ISAKMP peer information
Configuring global parameters
on page 528 for information on how to view IPSec VPN configuration in
Configuring a site-to-site IPSec VPN
Configuring ISAKMP peer information
on page 514).
on page 524.
Configuring global
Configuring ISAKMP
Configuring
on page 514)
Configuring crypto
Issue 1 January 2008
511