eSIX Documentation Center

English

简体中文

English

简体中文

Appearance

Application Note - IPSEC VPN

Topology Setup

  1. This functionality will be demonstrated based on the following topology environment.
  2. The main interfaces involved are Xatellite4 eth1 and Xatellite5 eth1.

Function Configuration Process and Function Verification

Device Xatellite 4 IPSEC Function Configuration

  1. Enter IPSEC configuration interface
  • Click the "VPN" tab.
  • Click the "IPSEC" tab.
  1. Click the "Setting" tab
  2. Click "Enable" to enable the "IPSEC" function
  3. Click "SAVE & APPLY" to save the current configuration
  1. Click the "Remote" tab
  2. Click the "ADD" tab

  1. Click the "General" tab

  2. Click the "Enable" tab to enable the function

  3. Configure IPSEC function related addresses

  • Fill in the address in "Local Addr". In this function demonstration, "0.0.0.0" will be filled in.
  • Fill in the peer communication address in "Remote Gateway". In this function demonstration, "192.168.1.2" will be filled in.
  1. Configure "Pre-Shared Key"
  • Enter a custom key in "Pre-Shared Key". This key needs to be configured uniformly on both devices.
  1. Configure "Phase 1 Proposal"
  • Click "Enable Phase 1 Proposal" to enable.
  • Click "Encryption Algorithm" and select an appropriate encryption algorithm from its dropdown list. In this demonstration, the encryption algorithm "AES-128" is used, which is the Advanced Encryption Standard using 128-bit keys and provides security and reliability.
  • Click "Hash Algorithm" and select an appropriate hash algorithm from its dropdown list. In this demonstration, the hash algorithm "MD5" is used.
  • Click "DH Group" and select an appropriate DH group from its dropdown list. In this demonstration, "DH Group 2" is used.
  1. Click the "Tunnel" tab
  2. Click the "ADD" button
  1. Click the "Enable" tab to enable the "Tunnel" function and its related parameter configuration
  2. Configure address information related to "Tunnel"
  • Fill in the source address in IPv4 CIDR format in "Local Subnet". (The loopback interface IP address: 1.1.1.1/32 here is only filled in for temporary demonstration. Please fill in the source address or source network segment of the data that needs to be encrypted according to the actual situation)
  • Fill in the destination address in IPv4 CIDR format in "Remote Subnet". (The loopback interface IP address: 2.2.2.2/32 here is only filled in for temporary demonstration. Please fill in the destination address or destination network segment of the data that needs to be encrypted according to the actual situation)
  1. Configure "Enable Phase 2 Proposal"
  • Check "Enable Phase 2 Proposal" to enable.
  • Click "Encryption Algorithm" and select an appropriate encryption algorithm from its dropdown list. In this demonstration, the encryption algorithm "AES-128" is used, which is the Advanced Encryption Standard using 128-bit keys and provides security and reliability.
  • Click "Hash Algorithm" and select an appropriate hash algorithm from its dropdown list. In this demonstration, the hash algorithm "MD5" is used.
  • Click "PFS Group" and select an appropriate DH group from its dropdown list. In this demonstration, "PFS Group 2" is used.
  1. Click "SAVE" to save the above configuration

Device Xatellite 5 IPSEC Function Configuration

  1. Enter IPSEC configuration interface
  • Click the "VPN" tab.
  • Click the "IPSEC" tab.
  1. Click the "Setting" tab
  2. Click "Enable" to enable the "IPSEC" function
  3. Click "SAVE & APPLY" to save the current configuration
  1. Click the "Remote" tab
  2. Click the "ADD" tab

  1. Click the "General" tab

  2. Click the "Enable" tab to enable the function

  3. Configure IPSEC function related addresses

  • Fill in the address in "Local Addr". In this function demonstration, "0.0.0.0" will be filled in.
  • Fill in the peer communication address in "Remote Gateway". In this function demonstration, "192.168.1.1" will be filled in.
  1. Configure "Pre-Shared Key"
  • Enter a custom key in "Pre-Shared Key". This key needs to be configured uniformly on both devices.
  1. Configure "Phase 1 Proposal"
  • Click "Enable Phase 1 Proposal" to enable.
  • Click "Encryption Algorithm" and select an appropriate encryption algorithm from its dropdown list. In this demonstration, the encryption algorithm "AES-128" is used, which is the Advanced Encryption Standard using 128-bit keys and provides security and reliability.
  • Click "Hash Algorithm" and select an appropriate hash algorithm from its dropdown list. In this demonstration, the hash algorithm "MD5" is used.
  • Click "DH Group" and select an appropriate DH group from its dropdown list. In this demonstration, "DH Group 2" is used.
  1. Click the "Tunnel" tab
  2. Click the "ADD" button
  1. Click the "Enable" tab to enable the "Tunnel" function and its related parameter configuration
  2. Configure address information related to "Tunnel"
  • Fill in the source address in IPv4 CIDR format in "Local Subnet". (The loopback interface IP address: 2.2.2.2/32 here is only filled in for temporary demonstration. Please fill in the source address or source network segment of the data that needs to be encrypted according to the actual situation)
  • Fill in the destination address in IPv4 CIDR format in "Remote Subnet". (The loopback interface IP address: 1.1.1.1/32 here is only filled in for temporary demonstration. Please fill in the destination address or destination network segment of the data that needs to be encrypted according to the actual situation)
  1. Configure "Enable Phase 2 Proposal"
  • Check "Enable Phase 2 Proposal" to enable.
  • Click "Encryption Algorithm" and select an appropriate encryption algorithm from its dropdown list. In this demonstration, the encryption algorithm "AES-128" is used, which is the Advanced Encryption Standard using 128-bit keys and provides security and reliability.
  • Click "Hash Algorithm" and select an appropriate hash algorithm from its dropdown list. In this demonstration, the hash algorithm "MD5" is used.
  • Click "PFS Group" and select an appropriate DH group from its dropdown list. In this demonstration, "PFS Group 2" is used.
  • Click "SAVE" to save the above configuration

Test IPSEC VPN Availability and Encryption

  1. It can be seen that ICMP packets from Xatellite 4 with IP address "1.1.1.1/32" can successfully reach Xatellite 5 "2.2.2.2/32".
  2. It can be seen that ICMP packets from Xatellite 5 with IP address "2.2.2.2/32" can successfully reach Xatellite 4 "1.1.1.1/32".
  1. Through packet capture, it can be seen that encrypted data communication already exists in the IPSEC VPN, where packets related to the ESP protocol are encrypted packets, and packets related to the ICMP protocol are decrypted data packets.