Setting up a site-to-site VPN
A site-to-site VPN connection can only be set up if a number of technical specifications are met at both ends. Site-to-site VPNs are set up by the solution provider himself and are his responsibility. Swisscom cannot guarantee interoperability for all manufacturers and models, but always seeks to find the best possible solution.
Important: please check the following link for "bandwith pools with parallel applications" to avoid bandwith problems! Connections
To set up a site-to-site VPN, switch to the Administration tab, open the first OvDC and select the tab Edge Gateways:
1) Mark and right-click on the EON network and select Edge Gateway Services… from the context menu.
2) Switch to the VPN tab.
3) Click the Add… button to add a VPN tunnel.
4) Set the tunnel up by providing the following information:
- Name: The name of the connection (freely selectable, special characters and umlauts are not permissible)
- Description: Optional
- Check the box labelled Enable this VPN configuration
- Establish VPN to: A remote network
- Select the local Network
- Peer Networks: Networks at the remote site
- Local ID: IP address or host name. Typically this is the external IP address of the Edge Gateway
- Peer ID: IP address of the remote device – typically a public IP address. If the peer is NAT'd, the private (internal) peer IP address should be stated here.
- Peer IP: The public IP of the remote device.
- Encryption protocol: 3DES, AES-128, or AES-256
- Shared secret: Must be at least 32 ASCII characters long
- MTU: Leave on 1500
5) Click the OK button to confirm your entry. You can now configure the firewall on the customer's side.
Configurations supported by vShield Edge
IKE Phase 1 parameters: Phase 1 VPN Negotiation: Main mode (aggressive mode disabled) Encryption algorithm: TripleDES | AES [configurable] Hashing algorithm: SHA-1 Diffie-Hellman Group Type: 2 (1024 bits) Authentication method: pre-shared secret [Configurable] ISAKMP security association lifetime: 28800 seconds (eight hours) with no Kbytes rekeying
IKE Phase 2 parameters: Encryption Algorithm: TripleDES | AES [this will match the Phase 1 setting] Hashing algorithm: SHA-1 Tunnel mode: ESP Diffie-Hellman group type: 2 (1024 bits) Perfect Forward Secrecy (PFS): enabled ISAKMP security association lifetime: 3600 seconds (one hour) with no Kbytes rekeying
Sample configurations of the customer-side firewall
This section contains examples of configurations of a FortiGate and a WatchGuard firewall. Firewall policies, routing, etc. are the customer's responsibility and will not be dealt with here.
1) Under VPN in the menu, expand IPsec and select Auto Key (IKE).
2) Click the Create Phase 1 button and then the Create Phase 2 button to create a new IKE phase 1 and phase 2.
3) Configure phase 1 in the mask and then confirm the settings by clicking the OK button.
4) Now configure phase 2 in the second mask and confirm the settings by clicking the OK button.
FortiGate 40c VPN in tunnel mode (no longer recommended)
1) Configure phase 1 in the mask and then confirm the settings by clicking the OK button.
2) Configure phase 2 in the second mask and then confirm the settings by clicking the OK button.
1) Select the VPN menu.
2) Here you can choose between different types of VPNs. Select Branch Office VPN.
3) Under Gateways, click the Add button to create a new phase 1.
4) Under tunnels, you can create a new phase 2 by clicking the Add button
Configure phase 1 in the mask and then confirm the settings by clicking the Save button.
Under Gateway, select the previously created phase 1, then configure phase 2 as necessary and save the settings by clicking the Save button.