Configuring the satellite site (spoke)

Virtual IPsec interfaces determine the tunnels through which traffic will pass.

You therefore need to create a local virtual IPsec interface that makes it possible to configure the tunnel's local and remote endpoints. In the example, this interface is named tunnel_to_hub. The tunnel endpoints are defined by network objects (VTI_local_hub and VTI_remote_hub in the example).

Creating the local virtual IPsec interface

You will need to create the virtual IPsec interface allowing you to configure the tunnel.

  1. Go to Configuration > Network > Virtual interfaces and select the IPsec interfaces (VTI) tab.

  2. Click on Add.

  3. Fill in the following fields:

    • Name: tunnel_to_hub in the example,

    • IP address: 172.16.50.2 in the example,

    • Network mask: the default value is a 255.255.255.252 mask (the mask retains its default value in the example).

      Configuring local VTIs on the spoke

Creating the local and remote tunnel endpoints

The virtual interfaces on the hub are configured by using network objects. These interfaces are used as gateways in router objects on the spoke, and in the configuration of IPsec tunnels. You need to define network objects that correspond to local and remote tunnel endpoints on the hub.

  1. Go to Configuration > Objects > Network.

  2. Click on Add and select Host from the banner on the left.

  3. Configure the network object that corresponds to the local tunnel endpoint, by filling in the following fields:

    • Object name: VTI_local_hub in the example,

    • IPv4 address: 172.16.50.2 in the example,

    • MAC address: you can indicate a MAC address,

    • Comments: you can enter comments.

  4. Click on Create and duplicate to finalize the creation of the object and create the next one.

  5. Configure the network object that corresponds to the remote tunnel endpoint with the values indicated below.

    • Object name: VTI_remote_hub in the example,

    • IPv4 address: 172.16.50.1 in the example.

  6. Click on Create to finalize the creation of the object and close the wizard.

    Tunnel endpoints on the spoke

Configure routing

Routing has to be configured on the spoke to allow traffic to reach its destination. To do so, you will need to create a network object that corresponds to the local network on the hub, and configure routing.

Creating network objects

You will need to create a network object that corresponds to the local network on the hub.

  1. Go to Configuration > Objects > Network.

  2. Click on Add and select Network from the banner on the left.

  3. Fill in the following fields:

    • Object name: NET_hub in the example,

    • Network IP address: 192.168.1.0/24 in the example,

    • Comments: you can add comments.

  4. Click on Create to finalize the creation of the object and close the wizard.

Defining routing

You will need to configure the routing of traffic to the local network on the hub.

  1. Go to Configuration > Network > Routing and select the IPv4 static routes tab.

  2. Click on Add.

  3. Fill in the following fields:

    • Destination network: NET_hub in the example,

    • Address range: 192.168.1.0/24 in the example,

    • Gateway: VTI_remote_hub in the example,

    • Comments: you can enter comments.

      Configuring routing on the spoke

Creating the IPsec peer

To allow the spoke to accurately identify the hub, you will need to create the hub peer. You can create it either by using certificate authentication (recommended), or by following the pre-shared key (PSK) authentication method.

NOTE
The local address used has to be "any" so that the IKE service can adapt whenever the network configuration is reloaded (change in routing, renewal of the DHCP lease, etc.).

Creating the peer with certificate authentication (recommended)

  1. Go to Configuration > VPN > IPsec VPN > Peers tab.

  2. Click on Add.

  3. Select New remote gateway. A wizard will appear, prompting you to select the remote gateway.

  4. Select hub.

  5. Enter the name of the peer. By default, its name has "Site_" as a prefix, but the name can be customized (hub in the example). Confirm.

  6. Select IKEv2 as the IKE version, and click on Next.

  7. Select Certificate authentication.

  8. In the Certificate drop-down menu, select the certificate that the spoke will present to set up the tunnel with its peer, and click on Next.

  9. In the window that opens, providing a summary of the peer's settings, check the information, then click on Finish.

  10. In the Identification section, fill in the following fields:

    • Local ID (optional): this is the local ID that was specified when the peer was created. If you fill in this field, you need to enter the same value in the Peer ID field on the hub.

    • Peer ID (optional): this is the ID that was assigned to the peer. We recommend specifying it to formally identify the mobile peer, and to associate the right IPsec policy with it during the tunnel negotiation. If you fill in this field, you need to enter the same value in the Local ID field on the hub.

  11. Click on Apply to confirm the creation of the peer.

    Main hub peer on the spoke and certificate authentication

Creating the peer with pre-shared key authentication (PSK)

  1. Go to Configuration > VPN > IPsec VPN > Peers tab.

  2. Click on Add.

  3. Select New remote gateway. A wizard will appear, prompting you to select the remote gateway.

  4. Select the object hub.

  5. By default, the name of the peer will be created by adding a prefix “Site_” to the object name, but this name can be customized (hub in the example). Confirm.

  6. Select IKEv2 as the IKE version, and click on Next.

  7. Select the pre-shared key (PSK) as the authentication method.

  8. In the Identification section, fill in the following fields:

    • Local ID (optional): this is the local ID that was specified when the peer was created. If you fill in this field, you need to enter the same value in the Peer ID field on the hub.

    • Peer ID (optional): this is the ID that was assigned to the peer. We recommend specifying it to formally identify the peer, and to associate the right IPsec policy with it during the tunnel negotiation. If you fill in this field, you need to enter the same value in the Local ID field on the hub.

    • Pre-shared key: click on Edit and in the fields Pre-shared key and Confirm, enter a complex key that will be exchanged between the hub and spoke to set up the IPsec tunnel.
      To define a sufficiently secure pre-shared key:

      • Keep to a minimum length of 15 characters,

      • Use uppercase and lowercase letters, numbers and special characters,

      • Do not use a word that can be found in a dictionary.

  9. Click on Apply.

    Main hub peer on the spoke and PSK authentication

Configuring the IPsec policy

You will need to define the rules of the encryption policy to be applied to traffic.

  1. Go to Configuration > VPN > IPsec VPN > Encryption Policy - Tunnels tab > Site-to-site tab.

  2. Click on Add, then select Standard site-to-site tunnel.

  3. Select hub as the Peer selection.

  4. In the Local network field, select the object VTI_local_hub.

  5. In the Remote network field, select the object VTI_remote_hub.

  6. Enable the policy by setting the Status cursor to On.

    IPsec VPN encryption policy on the spoke

You have completed the configuration of the spoke, and can now proceed to checking the setup of the tunnels.