Configuring an IPSec Site‑to‑Site VPN Between Headquarters and Branch NAT Devices

This experiment shows how to set up an IPSec tunnel between a headquarters and a branch office when both sites use NAT devices as their export gateways, allowing mutual communication and internet access.

1. Router configuration (routing between FW1 and FW2)

interface GigabitEthernet0/0/0 ip address 220.163.100.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 220.163.200.1 255.255.255.0 #

2. FW1 configuration

a) Interface IP addresses

interface GigabitEthernet0/0/0 ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 220.163.100.2 255.255.255.0

b) Assign interfaces to zones

firewall zone trust add interface GigabitEthernet0/0/0 # firewall zone untrust add interface GigabitEthernet0/0/1

c) Enable inter‑zone packet filtering (permit all for the lab)

firewall packet-filter default permit all

d) Static default route

ip route-static 0.0.0.0 0.0.0.0 220.163.100.1

e) Define protected traffic

acl number 3000 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

f) IPSec proposal “tran1”

ipsec proposal tran1 esp authentication-algorithm sha1 esp encryption-algorithm aes

g) IKE proposal “10”

ike proposal 10 authentication-method pre-share authentication-algorithm sha1

h) IKE peer configuration

ike peer c pre-shared-key 123456 ike-proposal 10 remote-address 220.163.200.2

i) IPSec policy map1

ipsec policy map1 10 isakmp security acl 3000 ike-peer c proposal tran1

j) Apply IPSec policy to the external interface

interface GigabitEthernet0/0/1 ip address 220.163.100.2 255.255.255.0 ipsec policy map1

k) NAT policy (exclude IPSec‑protected flow, then source‑nat the rest)

nat-policy interzone trust untrust outbound policy 1 action no-nat policy source 192.168.10.0 0.0.0.255 policy destination 192.168.20.0 0.0.0.255 policy 2 action source-nat easy-ip GigabitEthernet0/0/1

3. FW2 configuration (mirrors FW1 with opposite subnets)

a) Interface IP addresses

interface GigabitEthernet0/0/0 ip address 192.168.20.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 220.163.200.2 255.255.255.0

b) Zones, packet filter, static route, ACL, IPSec/IKE proposals, IKE peer, IPSec policy, and NAT are configured analogously to FW1, using the 192.168.20.0/24 network and the opposite public IPs (220.163.200.1/2).

4. Verification

On FW1 and FW2 the IKE SA tables show two tunnels (IDs 1 and 40001) in READY state. The IPSec SA tables display tunnel mode “map1”, correct local/remote tunnel IPs, and matching inbound/outbound ESP SAs. Ping tests from PCs in both subnets succeed with 0 % packet loss, confirming end‑to‑end connectivity.