Site to Site IPSEC VPN Setup Guidelines for the X505 (Static IP) and 3CR870-95/3CR860-95 (Static IP) In Main mode

Here follows screen shots of the configuration for the X505 and 3cr870-95/3cr860-95 required to establish an IPSEC site to site VPN tunnel in main mode.

IPSEC VPN Main Mode is used when both side of the IPSEC VPN tunnel have a Static WAN IP address. Main Mode cannot be used if either side have a Dynamic WAN IP address.

You will first need to enable IPSEC Global VPN and then you can define the Local Domain and Email address but since we are using Main mode those settings will not be used during the IPSEC tunnel establishment:

The next step is to create an IKE proposal which will need to match the IKE proposal created on the 3cr870-95/3cr860-95 (Phase 1 and Phase 2 encryption, Integrity, Diffie-Helman Group, authentication type… must match):

Then create an IPSEC Security Association which will need to match the IPSEC Security Association proposal created on the 3cr870-95/3cr860-95 (Keying mode, Shared Secret … must match, the remote subnet must be set approprietaly on each unit):

When Establish the tunnel will show as follows:

Connection to ISP configuration:

Lan side configuration:

You will first need to enable IPSEC then define the Firewall’s ID (Local Id) which will be used during the IPSEC site to site VPN establishment as the WAN IP address of the 3cr870/3cr860 unit:

Then create an IPSEC Security Association which will need to match the IPSEC Security Association proposal created on the X505 (Keying mode, Shared Secret … must match, the remote subnet must be set approprietaly on each unit):

— David Gonzalez 2021/04/08 14:50