1. Interfaces
NOTE: Moving the VLAN1 IP address to a different subnet causes the security device to delete any routes involving the previous VLAN1 interface. When configuring a security device through the WebUI, your workstation must reach the first VLAN1 address and then be in the same subnet as the new address. After changing the VLAN1 address, you must then change the IP address of your workstation so that it is in the same subnet as the new VLAN1 address. You might also have to relocate your workstation to a subnet physically adjacent to the security device.
Network > Interfaces > Edit (for the VLAN1 interface): Enter the following, then click OK:
IP Address/Netmask: 1.1.1.1/24 Manage IP: 1.1.1.2
NOTE: You enable the management options for WebUI, Telnet, and Ping on both the V1-Trust zone and the VLAN1 interface so that a local admin in the V1-Trust zone can reach the VLAN1 Manage IP address. If
management through the WebUI is not already enabled on VLAN1 and the V1-Trust zone interfaces, you cannot reach the security device through the WebUI to make these settings. Instead, you must first set WebUI manageability on these interfaces through a console connection.
Network > Interfaces > Edit (for ethernet1): Enter the following, then clickApply:
Management Services: WebUI, Telnet Other Services: Ping
Select the following, then clickOK:
Zone Name: V1-Trust
IP Address/Netmask: 0.0.0.0/0
Network > Interfaces > Edit (for ethernet3): Enter the following, then clickOK:
Zone Name: V1-Untrust IP Address/Netmask: 0.0.0.0/0
2. Addresses
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: local_lan IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.0/24 Zone: V1-Trust
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: peer_lan IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.0/24 Zone: V1-Untrust
3. VPN
VPNs > AutoKey Advanced > Gateway > New: Enter the following, then clickOK:
Gateway Name: gw1 Security Level: Compatible Remote Gateway Type:
Static IP Address: (select), IP Address/Hostname: 2.2.2.2 Preshared Key: h1p8A24nG5
Outgoing Zone: V1-Untrust
VPNs > AutoKey IKE > New: Enter the following, then clickOK:
VPN Name: vpn1
Security Level: Compatible Remote Gateway:
Network > Routing > Routing Entries > trust-vr New: Enter the following, then click OK:
Network Address/Netmask: 0.0.0.0/0 Gateway: (select)
Interface: VLAN1 (VLAN) Gateway IP Address: 1.1.1.250
5. Policies
Policies > (From: Trust, To: Untrust) New: Enter the following, then clickOK:
Source Address:
Address Book Entry: (select), local_lan Destination Address:
Address Book Entry: (select), peer_lan Service: ANY
Action: Tunnel Tunnel VPN: vpn1
Modify matching bidirectional VPN policy: (select) Position at Top: (select)
WebUI (Device B)
1. Interfaces
NOTE: Moving the VLAN1 IP address to a different subnet causes the security device to delete any routes involving the previous VLAN1 interface. When configuring a security device through the WebUI, your workstation must reach the first VLAN1 address and then be in the same subnet as the new address. After changing the VLAN1 address, you must then change the IP address of your workstation so that it is in the same subnet as the new VLAN1 address. You might also have to relocate your workstation to a subnet physically adjacent to the security device.
Network > Interfaces > Edit (for the VLAN1 interface): Enter the following, then click OK:
IP Address/Netmask: 2.2.2.2/24 Manage IP: 2.2.2.3
Management Services: WebUI, Telnet, Ping
NOTE:If management through the WebUI is not already enabled on VLAN1 and the V1-Trust zone interfaces, you cannot reach the security device through the WebUI to make these settings. Instead, you must first set WebUI manageability on these interfaces through a console connection.
Network > Interfaces > Edit (for ethernet1): Enter the following, then clickApply:
Management Services: WebUI, Telnet Other Services: Ping
Zone Name: V1-Trust
IP Address/Netmask: 0.0.0.0/0
Network > Interfaces > Edit (for ethernet3): Enter the following, then clickOK:
Zone Name: V1-Untrust IP Address/Netmask: 0.0.0.0/0
2. Addresses
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: local_lan IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.0/24 Zone: V1-Trust
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: peer_lan IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.0/24 Zone: V1-Untrust
3. VPN
VPNs > AutoKey Advanced > Gateway > New: Enter the following, then clickOK:
Gateway Name: gw1 Security Level: Compatible Remote Gateway Type:
Static IP Address: (select), IP Address/Hostname: 1.1.1.1 Preshared Key: h1p8A24nG5
Outgoing Zone: V1-Untrust
VPNs > AutoKey IKE > New: Enter the following, then clickOK:
VPN Name: vpn1
Security Level: Compatible Remote Gateway:
Predefined: (select), gw1
4. Route
Network > Routing > Routing Entries > trust-vr New: Enter the following, then click OK:
Network Address/Netmask: 0.0.0.0/0 Gateway: (select)
Interface: VLAN1 (VLAN) Gateway IP Address: 2.2.2.250
5. Policies
Policies > (From: Trust, To: Untrust) New: Enter the following, then clickOK:
Source Address:
Address Book Entry: (select), local_lan Destination Address:
Address Book Entry: (select), peer_lan Service: ANY
Tunnel VPN: vpn1
Modify matching bidirectional VPN policy: (select) Position at Top: (select)
CLI (Device A)
1. Interfaces and Zones
unset interface ethernet1 ip unset interface ethernet1 zone set interface ethernet1 zone v1-trust set zone v1-trust manage web set zone v1-trust manage telnet set zone v1-trust manage ping unset interface ethernet3 ip unset interface ethernet3 zone set interface ethernet3 zone v1-untrust set interface vlan1 ip 1.1.1.1/24
set interface vlan1 manage-ip 1.1.1.2 set interface vlan1 manage web set interface vlan1 manage telnet set interface vlan1 manage ping
NOTE: You enable the management options for WebUI, Telnet, and Ping on both the V1-Trust zone and the VLAN1 interface so that a local admin in the V1-Trust zone can reach the VLAN1 Manage IP address.
2. Addresses
set address v1-trust local_lan 1.1.1.0/24 set address v1-untrust peer_lan 2.2.2.0/24
3. VPN
set ike gateway gw1 address 2.2.2.2 main outgoing-interface v1-untrust preshare h1p8A24nG5 sec-level compatible
set vpn vpn1 gateway gw1 sec-level compatible
4. Routes
set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway 1.1.1.250
5. Policies
set policy top from v1-trust to v1-untrust local_lan peer_lan any tunnel vpn vpn1 set policy top from v1-untrust to v1-trust peer_lan local_lan any tunnel vpn vpn1 save
CLI (Device B)
1. Interfaces and Zones
unset interface ethernet1 ip unset interface ethernet1 zone set interface ethernet1 zone v1-trust set zone v1-trust manage
unset interface ethernet3 ip unset interface ethernet3 zone set interface ethernet3 zone v1-untrust set interface vlan1 ip 2.2.2.2/24 set interface vlan1 manage-ip 2.2.2.3 set interface vlan1 manage
2. Addresses
set address v1-trust local_lan 2.2.2.0/24 set address v1-untrust peer_lan 1.1.1.0/24
3. VPN
set ike gateway gw1 address 1.1.1.1 main outgoing-interface v1-untrust preshare h1p8A24nG5 sec-level compatible
set vpn vpn1 gateway gw1 sec-level compatible
4. Routes
set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway 2.2.2.250
5. Policies
set policy top from v1-trust to v1-untrust local_lan peer_lan any tunnel vpn vpn1 set policy top from v1-untrust to v1-trust peer_lan local_lan any tunnel vpn vpn1 save