Peer 3 Site-to-Site Configuration

IPsec Configuration

Phase 1 Configuration

  • Navigate to VPN > IPsec

  • Click Add P1

  • Set Key Exchange version to IKEv2

  • Set Internet Protocol to IPv4

  • Set Interface to WAN

  • Set Remote Gateway to 10.129.0.10

  • Set Authentication Method to Mutual PSK

  • Set My identifier to My IP address

  • Set Peer identifier to Peer IP address

  • Set Pre-Shared Key to 01234567

  • Set Encryption:

    • Algorithm to AES

    • Key length to 256 bit

    • Hash to SHA256

    • DH Group to 14 (2048 bit)

  • Set Lifetime as 28800

  • Click Save

Phase 2 Configuration

  • On the newly created Phase 1 entry, click Show Phase 2 Entries

  • Click Add P2

  • Set Mode to Routed (VTI)

  • Set Local Network to 10.131.4.2 and mask 30

  • Set Remote Network to 10.131.4.1

  • Set Protocol to ESP

  • Set Encryption Algorithms to AES and 256 bit

  • Uncheck all other Encryption Algorithms entries

  • Set Hash Algorithms to SHA256

  • Uncheck all other Hash Algorithms entries

  • Set PFS key group to 14 (2048 bit)

  • Set Lifetime as 3600

  • Click Save

  • Click Apply Changes

Interface Configuration

  • Navigate to Interfaces > Interface Assignments

  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)

  • Click Add

  • Note the newly created interface name, such as OPTX

  • Navigate to Interfaces > OPTX

  • Check Enable

  • Click Save

  • Click Apply Changes

Routing Configuration

  • Navigate to System > Routing, Static Routes tab

  • Click Add

  • Set Destination network to 192.168.0.0 and mask 23

  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.3.1

  • Click Save

  • Click Add

  • Set Destination network to 192.168.2.0 and mask 24

  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.3.1

  • Click Save

  • Click Apply Changes

Firewall Configuration

To allow connections into the local LAN from remote IPsec sites, create pass rules under Firewall > Rules on the IPsec tab. Set the Source on these rules to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT Configuration

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely.