5 Replies Latest reply on Jul 31, 2012 6:23 AM by PhilM

    How to config VPN site to site

      Hi all

      i using firewall S2008 access internet at local A and at local B i using Router cisco access internet.

      I wan to create VPN site to site from firewall access Cisco router,

      Can you help me, please ???


        • 1. Re: How to config VPN site to site

          Hi all,

          Can you help me, please ???


          • 2. Re: How to config VPN site to site



            It is difficult to help as you have not provided much information. Have you attempted to setup the VPN? What was the outcome? Do you have any error messages in the audit?


            There is a VPN section of the Administration Guide for whatever version you are running located on mysupport.mcafee.com.





            • 3. Re: How to config VPN site to site



              Hi all,

              It is my model,

              Lan X, Lan y access successfull Lan 1 by VPN,

              at now I wan to create VPN from Firewall S2008 Mcafee to Fortinet or ASA cisco or Cisco 2811, How do i do,

              Can you help me, step by step

              thanks a lot.

              • 4. Re: How to config VPN site to site

                Hi all,

                Can you help me, please ???


                • 5. Re: How to config VPN site to site

                  Firstly you will need to create a rule on your Firewall to allow the ISAKMP Server service to listen on the external interface. At the most basic level it will look something like this:-


                  • Application = ISAKMP Server
                  • Source Zone = external
                  • Destination Zone = external
                  • Action = Allow


                  You may optionally use a network object to tie this service down to a specific external IP address on your Firewall.


                  Then you create VPN Definitions (Network -> VPN Configuration -> VPN Definitions)  to tell your Firewall where the remote Firewall is and confirm the local and remote network details.


                  Most of the default values will be OK so you will need to look at the following:-


                  General Tab:

                  • Give the definition a name
                  • Zone - specify the zone on your Firewall where the decrypted traffic will appear. If you want the tunnel to be transparent (you don't want to restrict protocols) then select your 'internal' zone
                  • Remote IP - enter the external/public IP address of the Firewall at the other end of the connection.
                  • Local Networks - specify the networks on your side of the tunnel that you wish to grant VPN access to.
                  • Remote Networks - specify the corresponding networks at the other end.


                  Remote Authentication Tab:

                  • Select your chosen authentication method, The most simple is password.
                  • Enter your chosen password and confirm it.


                  Crypto Tab:

                  • Select your chosen encryption and authentication algorithms (e.g. 3DES/MD5)


                  This is the most basic information you will need to supply. Then it is a case of replicating this on the remote Firewall (you will need to ask someone else about how to do that). Passwords & algorithms need to match. Network details need to be the opposite (local networks on your Firewall = remote networks on the other Firewall). Some Firewalls will choose to use Perfect Forward Secrecy (PFS). If they do, you can apply these settings in the "Advanced" tab on your VPN definition.


                  As Matt said there is an chapter in the Adminsitration Guide (Chapter 27, pages 435-478 in the v8.2 Admin Guide) and this includes several example scenarios to use when configuring your own VPN. A basic site-to-site tunnel, like the one we are talking about here, is covered in pages 449-450.