The FG2000-3 device allows you to create IPSEC VPNs to establish secure connections to remote networks over a public network.

VPN Service

This setting enables or disables IPSEC VPN service on your device. When the ON/OFF slider is ON , VPN is enabled. When OFF , VPN service is not available.

VPN Tunnel Configurations

Once such a tunnel is added, the page would display the list of tunnel configurations. Administrator can delete, edit, view, change priorities of the tunnel configurations.

Add new VPN tunnel: Use this button to add a new VPN tunnel. The Add New VPN Tunnel Dialog appears:

Add New VPN Tunnel: Step 1 out of 5

General Settings

Start Tunnel — Select whether to start the tunnel automatically upon start up or manually.
Enable Tunnel — Check this box to enable the tunnel.
Tunnel Name — Enter a unique name to identify this VPN.
Local identity — Enter a unique name to identify the local point of the tunnel.
Remote identity — Enter a unique name to identify the remote point of the tunnel.
Local Authentication — Select Pre-shared Key in the dropdown
Pre-shared key — Enter a password used to authenticate to your end of the tunnel (usually matches the remote password.)
Local Authentication — Select Pre-shared Key in the dropdown
Pre-shared key — Enter a password used to authenticate to your end of the tunnel (usually matches the local password.)

Add New VPN Tunnel: Step 2 out of 5

Local Network

Local IP — Enter the WAN IP address of local device. NOTE: This should be a static IP that you are able to reach from remote device (no NAT).
Local subnet mask — Enter the subnet mask of the local device, for example: If your local IP is 192.168.0.100 and your subnet mask is 255.255.255.0 this should be 192.168.0.0/24. NOTE: This should mirror what the subnet displays in the local device, for example: 192.168.0.0 / 255.255.255.0. NOTE: The local device should be on a different subnet from remote, for example: If the Remote Subnet Mask is 192.168.1.0/24, the Local Subnet Mask might be 192.168.0.0/24. This is usually based off the DHCP settings of the devices.

Remote Network

Remote IP — Enter the WAN IP address of remote device. NOTE: This should be a static IP that you are able to reach from local device (no NAT).
Remote subnet mask — Enter the subnet mask of the remote device, for example: If your remote IP is 192.168.0.100 and your subnet mask is 255.255.255.0 this should be 192.168.0.0/24. NOTE: This should mirror what the subnet displays in the local device, for example: 192.168.0.0 / 255.255.255.0. NOTE: The remote device should be on a different subnet from local, for example: If the Local Subnet Mask is 192.168.1.0/24, the Remote Subnet Mask might be 192.168.0.0/24. This is usually based off the DHCP settings of the devices.

Add New VPN Tunnel: Step 3 out of 5

IKE Phase 1

Key lifetime: The lifetime of the phase 1 key, in seconds.

Select desired items from each column.

NOTE: Each phase should support at least one matching option in each column. For example, if Phase 1 on this page is configured to support Hash SHA2 512, SHA2 384, and SHA2 256, then at least one of those selections must be selected in Phase 2 on the next page in order for there to be a common Hash.

Add New VPN Tunnel: Step 4 out of 5

IKE Phase 2

Key lifetime: The lifetime of the phase 2 key, in seconds.

Select desired items from each column.

NOTE: Each phase should support at least one matching option in each column. For example, if Phase 1 on the previous page is configured to support Hash SHA2 512, SHA2 384, and SHA2 256, then at least one of those selections must be selected in Phase 2 on the this page in order for there to be a common Hash.

Add New VPN Tunnel: Step 5 out of 5

Dead Peer Detection (DPD) is a keep-alive method that ensures the tunnel is up and will take action if it is not able to reach the remote side of the tunnel, depending on what DPD action you select. You can use the default values, if desired.

Dead Peer Detection

Enable: Check this box to enable DPD.

DPD action: Use the drop-down to select a DPD action.

DPD delay: The number of seconds between DPD packets.

DPD timeout: The number of seconds the router will allow an IPsec session to be idle before beginning to send DPD packets to the peer machine.

Click Finish and save to implement your settings. You return to the VPN page. The new VPN tunnel is now listed.