======IPSEC VPN SETUP EXAMPLE BETWEEN A SUPERSTACK 3 FIREWALL IN STANDARD MODE AND AN X506 IN NAT MODE====== Here follows screen shots of the configuration for the X Family running X3.1.2098 and SS3 Firewall running v6.3.3 in order to establish an IPSEC VPN tunnel. The SS3 Firewall is in Standard mode and the X series Firewall is in NAT mode. {{:3com:tippingpoint:x506:general_configuration:dsgn_183.png?direct&600|}} **The following is general guidance only. Some networks may require special guidance and configuration, in which case it is advisable to contact 3Com technical support.** =====Step 1:===== The SS3 Firewall is in standard mode, which means that the LAN and WAN share the same subnet acting as a bridge. In this case the SS3 Firewall IP address is 30.30.30.31: {{:3com:tippingpoint:x506:general_configuration:dsgn_184.png?direct&600|}} =====Step 2:===== Enable the VPN feature on the SS3 Firewall {{:3com:tippingpoint:x506:general_configuration:dsgn_185.png?direct&600|}} =====Step 3:===== Define the IPSEC SA as follows: {{:3com:tippingpoint:x506:general_configuration:dsgn_186.png?direct&600|}} =====Step 4:===== Specify the X series Firewall LAN IP subnet 192.168.1.0/24 {{:3com:tippingpoint:x506:general_configuration:dsgn_187.png?direct&600|}} =====Step 5:===== Define the desired Security zone, in this example we will only use the WAN and LAN security zones {{:3com:tippingpoint:x506:general_configuration:dsgn_188.png?direct&600|}} =====Step 6:===== The X series firewall in this example is in NAT mode which means it has a private IP address on the LAN side 192.168.1.31 and a Public IP address 20.20.20.31 on the WAN side {{:3com:tippingpoint:x506:general_configuration:dsgn_189.png?direct&600|}} =====Step 7:===== Define the New Security Association as shown below; you will notice that the Peer IP address is the SS3 Firewall box IP address 30.30.30.31 which is actually included in the screenshot in the Remote networks 30.30.30.0/255.255.255.0 This is however not an issue as the X series is able to differentiate the Peer address and the remote LAN addresses. {{:3com:tippingpoint:x506:general_configuration:dsgn_190.png?direct&600|}} =====Step 8:===== Define the X series Firewall Local network 192.168.1.0/255.255.255.0 and the SS3 Firewall standard mode network as the SA remote network 30.30.30.0/255.255.255.0 {{:3com:tippingpoint:x506:general_configuration:dsgn_191.png?direct&600|}} --- //[[nce@itclatam.com|David Gonzalez]] 2021/04/08 15:09//