Policy-based IPsec tunnel
This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is used and HQ is the IPsec concentrator.
The following shows the network topology for this example:
To configure a policy-based IPsec tunnel using the GUI:
- Configure the IPsec VPN at HQ:
- Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
- Uncheck Enable IPsec Interface Mode.
- Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
- Click OK.
 
- Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click Next:
- Uncheck Enable IPsec Interface Mode.
- Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
- Click OK.
 
- Configure the IPsec concentrator at HQ:
- Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
- Add to_branch1 and to_branch2 as Members.
- Click OK.
 
- Configure the firewall policy:
- Choose the Incoming Interface, in this example, port10.
- Choose the Outgoing Interface, in this example, port9.
- Select the Source, Destination, Schedule, Service, and set Action to IPsec.
- Select the VPN Tunnel, in this example, Branch1/Branch2.
- In this example, turn on Allow traffic to be initiated from the remote site.
- Click OK.
 
- Configure IPsec VPN at branch 1:
- Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
- Uncheck Enable IPsec Interface Mode.
- Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
- Click OK.
 
- Configure the firewall policy:
- Choose the Incoming Interface, in this example, internal.
- Choose the Outgoing Interface, in this example, wan1.
- Select the Source, Destination, Schedule, Service, and set Action to IPsec.
- Select the VPN Tunnel, in this example, to_HQ.
- In this example, turn on Allow traffic to be initiated from the remote site.
- Click OK.
 
- Configure IPsec VPN at branch 2:
- Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
- Uncheck Enable IPsec Interface Mode.
- Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface.
- In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In other cases, use the default.
- Click OK.
 
- Configure the firewall policy:
- Choose the Incoming Interface, in this example, internal.
- Choose the Outgoing Interface, in this example, wan1.
- Select the Source, Destination, Schedule, Service, and set Action to IPsec.
- Select the VPN Tunnel, in this example, to_HQ.
- In this example, turn on Allow traffic to be initiated from the remote site.
- Click OK.
 
 
- Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
 
- Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
 
- Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
To configure a policy-based IPsec tunnel using the CLI:
- Configure the HQ WAN interface and static route:
config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0 next
edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0
next
end
config router static edit 1 set gateway 22.1.1.2 set device “port9”
next
end
- Configure the HQ IPsec phase1 and phase2:
config vpn ipsec phase1 edit “to_branch1” set interface “port9” set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample
next
edit “to_branch2” set interface “port9” set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample
next
end
config vpn ipsec phase2 edit “to_branch1” set phase1name “to_branch1”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 next edit “to_branch2” set phase1name “to_branch2”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 next
end
- Configure the HQ firewall policy:
config firewall policy edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “10.1.100.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch1” next
edit 2
set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “192.168.4.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch2”
next
end
- Configure the HQ concentrator:
config vpn ipsec concentrator
edit “branch”
set member “to_branch1” “to_branch2”
next
end
- Configure the branch WAN interface and static route:
- Branch1:
config system interface
edit “wan1”
set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0
next edit “internal”
set ip 10.1.100.1 255.255.255.0
next
end config router static
edit 1
set gateway 15.1.1.1 set device “wan1”
next
end
- Branch2:
config system interface
edit “wan1”
set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0
next edit “internal”
set ip 192.168.4.1 255.255.255.0
next
end config router static
edit 1
set gateway 13.1.1.1 set device “wan1”
next end
- Configure the branch IPsec phase1 and phase2:
- Branch1:
config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample
next
end
config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 next
end
- Branch2:
config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample
next
end
config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 next
end
- Configure the branch firewall policy:
- Branch1:
 
config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “10.1.100.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”
next end
- Branch2:
config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “192.168.4.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”
next
end
- Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
—-
name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0
life: type=01 bytes=0/0 timeout=42932/43200
dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a
enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5
dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354
npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2
—-
name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe
enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0
- Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:
list all ipsec concentrator in vd 0
name=branch ref=3 tuns=2 flags=0

Please stick snap also for our reference