Set network virtual-router VPN-Router interface ethernet1/11 The static route says that if you are destined to the 10.0.1.0/24 network, go to the tunnel.77 interface to be encrypted. You will have to add the newly created interfaces to the virtual router and add a route towards the inside vpn-trust interface for proper routing. Set zone vpn-trust network layer3 tunnel.77 You can add this interface to an existing inside zone but then you'll have a hard time with NAT and security policies just like mentioned above with the Phase 1 interface. Set zone vpn-untrust network layer3 ethernet1/11Īdd the tunnel to the inside vpn zone. If the vpn-untrust zone does not exist, you can run the following command to create the zone and assign ethernet1/11 at the same time. If you do not want this behavior you will have to create a new rule to allow this traffic which is on more rule than you need if you would have set up a dedicated zone for the VPN tunnel.Īdd the outside interface to the untrusted zone. If you have the VPN zone the same as the outside zone and you implement a policy for your VPN users, by default it will affect the outside users not using the VPN. This is because if you do this, you will have greater flexibility when configuring rules and NAT.
You will want to create a zone for the VPN termination and not use an existing zone. Set network interface tunnel units tunnel.77
The logical tunnel interface does not need an IP address unless you want to manage it. This logical interface is where we will terminate the VPN connections on the inside. The same with the physical interface, the tunnel interface will be assigned to a virtual router and zone later. Set network interface ethernet ethernet1/11 layer3 ip 77.6.5.4/24 We'll assign it to the virtual router and zones later.
You can choose an already existing interface if configured but the following command assigns an interface with an IP address. The gateway can be any physical interface but it has to be routed and public if it crosses the internet. Once you have an endpoint for Phase 1, you'll need an endpoint for Phase 2 which will be a tunnel interface. You'll need an interface with layer 3 capabilities because this will be your IKE endpoint. First start with Phase 1 or the IKE profile. To create a VPN you need IKE and IPsec tunnels or Phase 1 and Phase 2.
0 kommentar(er)
