Ruijie Community
Title: The Branch Router Accesses the HQ Router at a Static IP Address in Dialup Mode [Print this page]
Author: GTAC-Sophia Time: 2022-12-5 10:13
Title: The Branch Router Accesses the HQ Router at a Static IP Address in Dialup Mode
IPsec VPN
1.The Branch Router Accesses the HQ Router at a Static IP Address in Dialup Mode
Networking Requirements
The HQ and branch routers use static IP addresses. The HQ router needs to verify the IP address of the branch router.
Network Topology
Configuration Key Points
1. Configure router A in the HQ as the IPsec server.
2. Configure router B in the branch as the IPsec client.
3. Keep parameter settings at both ends consistent. The parameter settings in this case are as follows:
Authentication mode: preshared key, with the key set to Ruijie.
IKE algorithm: 3DES-MD5, DH2
IPsec negotiation scheme: ESP(3DES-MD5)
Configuration Steps
1. Configure router B in the branch.
(1) Complete wizard-based setup to meet basic Internet access requirements of users in the HQ and branch. If the users can access the Internet, check whether the next hop address is configured for the WAN interface.
(2) Configure IPsec for router B in the branch.
Choose Network > VPN and click Configure. Select Branch, Choose Network >VPN andclick Configure. Select Branch and click Next.
Configure basic branch information.
Note: Only interfaces configured with the nexthop x.x.x.x command are displayed in the interface list (after the wizard-based setup is completed on the Web page, this command is configured on the WAN interface of the CLI by default).
The dialer interface can be configured on the Web page.
IKE algorithm: 3DES-MD5, DH2
IPsec negotiation scheme: ESP(3DES-MD5)
2. Configure router A in the HQ.
(1) Complete wizard-based setup to implement basic Internet access service of the HQ router.
(2) Configure IPsec for router A in the HQ.
Choose Network > VPN and click Configure. Select Headquarter, and click Next.
Select Branch and click Next.
Select IPsec and click Next.
Configure the IPsec VPN and click Next.
The IPsec VPN configuration is complete.
Configuration Verification
Choose Network > VPN and click the Topo tab to view the configuration.
Configuration of the HQ router:
Configuration of the branch router:
Check whether the routers in the HQ and branch can access each other.
Notes
1. When the Internet access service is configured via wizard-based setup on the Web of the EG device, IPsec VPN can be configured only after the next hop address is configured on the interface configuration page in the wizard-based setup. If no next hop address is configured for an interface, the interface cannot be selected during VPN configuration.
2. After a VPN is configured, the device automatically delivers AAA configuration (the system prompts you to enter the username and password during device login, and the telnet password needs to be reconfigured).
3. Close the browser after clearing the VPN configuration for the clearing operation to take effect. Otherwise, the system retains the previous VPN configuration.
4. When a WAN port receives an IPsec request but no traffic of interest is configured on the device, the error "Failed to find map" may occur. This error is generated because packets from IPsec port 500 are sent to the CPU when the IPsec map does not exist, and this does not affect network data forwarding and management, but instead is beneficial to network management. An ACL can be configured to filter out requests from undesired IPsec-compliant device that is connected to the EG device.
5. Some Web modules use specific ACLs. For example, the VPN module uses ACL 110 and ACL 199, the ARP guard module uses ACL 197 and ACL 2397, and the VWAN module uses ACL 198. Therefore, do not use these ACLs on the CLI, especially ACL 199, which prohibits policy configuration on the CLI. Otherwise, ACEs required by the VPN module fail to be configured on the Web page.
Welcome to Ruijie Community (https://community.ruijienetworks.com/) |
Powered by Discuz! X3.2 |