Preshared Key Authentication
Note: To configure VPNs, you need a Unified Threat Management license.
The following tutorials cover the creation of the main types of VPN tunnels. The examples build on each other, that is, the configuration settings in an example builds on that of the previous.
This first example begins with a simple two network VPN using shared secrets. The following networks are to be routed together via a VPN tunnel:
We use Preshared Key authentication initially. This is the easiest to setup.
Configuring Network A
There's no need for a CA or any certificates.
On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a parameter isn't listed, leave it at its default value:
Parameter | Description |
Name | Tunnel 1 |
Local network | Set to the opposite end’s remote network value. |
Local ID type | Local IP |
Local IP | The local IP address client connect to. |
Remote IP or hostname | 200.0.0.1 |
Remote network | 192.168.12.0/24 |
Remote ID type | User specified IP |
Authenticate by | Preshared Key |
Preshared Key | loudspeaker |
Preshared Key again | loudspeaker |
All other settings can be left at their defaults.
Configuring Network B
Here a single tunnel is created:
Parameter | Description |
Name | Tunnel 1 |
Local network | Set to the opposite end’s remote network value. |
Local ID type | Local IP |
Local IP | The local IP address client connect to. |
Remote IP or hostname | 100.0.0.1 |
Remote network | 192.168.0.0/24 |
Remote ID type | User specified IP |
Authenticate by | Preshared Key |
Preshared Key | loudspeaker |
Preshared Key again | loudspeaker |
Creating a firewall rule
For traffic to flow through the tunnel, you must create a firewall rule that allows traffic to be routed between the internal networks and the clients connecting via IPSEC. This is done in the Network - Firewall section. For a bi-directional rule select both IPSEC and the Internal interfaces in both incoming and outgoing interfaces and select the accept action.
Testing
Restart the VPN system on both ends. Both ends are set as initiators. Therefore, the tunnels should come up immediately.
To actually test that the VPN is routing, ping a host on the remote network from a device on the local one. You should also be able to connect to servers and desktops on the remote network using your standard tools.
Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote system ID type and the remote system external IP in the Remote system ID Value.