Flying Tower Firewall Ssg5 VPN

The first step is to create the local and end-to-end encryption methods, etc.

If it is not very well understood, it is recommended to use the default PRE-G1-DES-MD5, both ends of this.

If the end is already defined, you need to customize it here and then you can define it yourself.

The definition of the way VPNs-"AutoKey Advanced-" P1 Proposal "new" as needed to fill in the selection can

To the end definition way VPNs-"AutoKey Advanced-" P 2 Proposal "new" as needed to fill in the selection can

Step two, create gateway

VPNs-"AutoKey Advanced-" Gate Way "new"

Gateway name,

If the end is static IP, select static IP address, and then fill in the IP addresses. If it is not static, select the appropriate dialing method to fill in. This is assumed to be static.

The other default

Then click "Advanced"

Fill in the preshared key, this is encrypted ciphertext, both sides to fill out a write the same

Outgoing Interface Select the exit of the synchronized port, that is, the corresponding extranet entry for the remote IP that is filled out to the end

Security level Select Custom, and then select the appropriate encryption, the recommended use of the default is good, that is PRE-G1-DES-MD5

Enable nat-traversal selection After the use of the other IP Internet. Seems to be, the default is generally not selected, because the use of this end of the Internet

Other defaults, click "Return"

Then click "OK" again.

Now the gateway is created.

Step three, create a VPN

VPNs-"AutoKey IKE" new "

Name, and then remote gateway, select the predefined, which is just the new gateway,

Then click "Advanced",

The zone level also selects customizations and then selects the appropriate encryption method.

Bind to select the channel port to bind, if there is no empty channel mouth, go to network-"list inside Create tunnel mouth." No introduction here

Local intranet gateway, Ip/netmask, and mask address

Remote Ip/netmask to fill in the end of the intranet gateway, as well as the mask address

Service can customize VPN-allowed services, default is all, that is, any

Check VPN Monitor. View the status of the VPN in this way through vpns-monitor status

Other defaults, then click Return, then click OK to save.

To this end, all of our VPN creation is complete, but we find that the VPN is not connected, because the routing and policy has not been configured, the road is not.

Step fourth, establish routing

is to tell the firewall that if the destination address is the IP on the end, it passes through the channel just bound, not through the other gateway

Because the route is defined according to the destination address, we enter the destination routing table

network-, routing->destination "new"

If it is all the right side machine is to fill in the End-to-end Gateway and subnet mask.

If it is specified and the machine IP is filled in, mask fill 32

Then interface selects the tunnel that is bound above.

Other defaults. Then OK to save.

The last step defines a policy

Which is to create 2 new policies,

The first is trust-, Unstrust, source is the gateway and subnet mask on this side. The purpose is to end the gateway and subnet mask, service if it is all on the select any, and then other defaults, OK save

The second is unstrust-"Trust, is the above IP to fill in the opposite."

OK, all the above steps to complete the VPN configuration, as long as the end of this configuration on the OK,

Then we can go through the vpns-"moniter status to see whether the success, if it is up to represent success oh."

This article from the "Operation and maintenance work Struggle" blog, please be sure to retain this source http://yanghuawu.blog.51cto.com/2638960/662450