Professional Documents
Culture Documents
12 Chapter12 IPSec VPN and SSLVPN v5.5r2
12 Chapter12 IPSec VPN and SSLVPN v5.5r2
Introduction of VPN
• Hillstone IPSec VPN Configuration
– Configuring policy-based VPN
– Configuring route-based VPN
– Lab
• Hillstone SSL VPN Configuration
– Configuring SSL VPN
– Lab
Branch Headquarters
Internet
A X Y
Confidentiality
• Hides and secures data in WAN
Integrity
• Ensures the data is not tampered
Authentication
• Verifies whether the data source is trusted
Sender Receiver
1 Original data
+ Encrypted data +
1 Pub Pub
Sender Receiver
Data Hash
Data
1 2 Data Hash
4
Data Hash
Hash 5 Hash
Sender Receiver
Data Hash
Data
Hash key 3
1 2 Data Hash
Hash key
4
Data Hash
Hash 5 Hash
比对哈希值是否一致
Compare the hash values
• Introduction of VPN
Hillstone IPSec VPN Configuration
– Configuring policy-based VPN
– Configuring route-based VPN
– Lab
• Hillstone SSL VPN Configuration
– Configuring SSL VPN
– Lab
Server
LAN
Internet
Site2 Site1
If the access is bidirectional, you should add an inbound policy. The inbound policy can
be configured by exchanging the source and destination zones
www.hillstonenet.com | Hillstone Confidential
B. Route-based VPN (CLI)
• Steps
– Step 1 Use the command show ipsec sa to verify whether
phase2 SA has been established; if so, the VPN negotiation has
been completed successfully.
– Step 2 If phase2 SA has not been established, use the
command show isakmp sa to verify whether phase1 SA has
been established. If so, typically the problem occurred in
phase2 configuration, for example, inconsistent phase2
proposals or proxy ID; if not, you need to review the
configuration of phase1 peer or network, for example,
inconsistent phase1 proposals, pre-shared key, or no available
route to the peer.
– By default the VPN negotiation is triggered by traffic. To
enable auto connection, select Enable for Auto connect under
the Advance tab of phase2 tunnel configuration dialog.
• Introduction of VPN
• Hillstone IPSec VPN Configuration
– Configuring policy-based VPN
– Configuring route-based VPN
– Lab
Hillstone SSL VPN Configuration
– Configuring SSL VPN
– Lab
https://200.0.0.10:4433
Internet
E0/4:
200.0.0.10/24
SSL VPN Pool:
Server 10.200.0.2–100
Server/Database Server1:
192.168.10.10/24
• Functions
– Remote secure access
• Elements
– PC hosts
– SSL VPN access point
– Local/Radius/LDAP/AD/Tacacs+
authentication server
To configure a tunnel interface and an SSL VPN address pool, see the next slide.
www.hillstonenet.com | Hillstone Confidential
Configuring SSL VPN
Configure a tunnel interface and an SSL VPN address pool. The tunnel
interface and address pool should be in the same IP address segment
without overlap. (must set ip for SSLVPN tunnel interface because this ip
is the gateway ip for client)