Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.107
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual Network Sangfor/IPSec VPN Use Cases Inter-Branch Access
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Inter-Branch Access")}}

Inter-Branch Access

{{ $t('productDocDetail.updateTime') }}: 2026-04-29

Inter-branch access can be implemented through BGP over IPsec or OSPF over IPsec. This use case uses OSPF over IPsec as an example to describe how to implement inter-branch access. Specifically, two branch devices Branch1 and Branch2 are connected to the HQ device. Through OSPF over IPsec, a branch device can dynamically learn the internal routes of the HQ device and the other branch device.

Steps

Step 1.Create a VPN tunnel interface on each of the HQ device, Branch1, and Branch 2. Specifically, specify the name and address of each tunnel interface, and make sure that these tunnel interfaces created on the HQ and branch devices belong to the same network segment. For example, the VPN tunnel interfaces created on the HQ and branch devices are all named vpntun1.

VPN tunnel interface created on the HQ device:

VPN tunnel interface created on Branch1:

VPN tunnel interface created on Branch2:

Step 2.Create an IPsec VPN tunnel on each of Branch1 and Branch2. Specifically, configure necessary parameters, click the Route Mode tab, and set Local Tunnel Interface to vpntun1, as shown in the following figure.

Step 3.Create an IPsec VPN tunnel on the HQ device to connect to Branch1. Specifically, configure necessary parameters, click the Route Mode tab, and set Local Tunnel Interface to vpntun1. Then, click Advanced Settings, and set Peer Tunnel Interface IP to the IP address of vpntun1 created on Branch1.

The IPsec VPN tunnels on the HQ device share the same tunnel interface. Therefore, you need to specify Peer Tunnel Interface IP.

Step 4.Repeat Step 3 to create an IPsec VPN tunnel on the HQ device to connect to Branch2. In this case, set Peer Tunnel Interface IP to the IP address of vpntun1 created on Branch2.

Step 5.Configure OSPFv2 on Branch1 and Branch2. Specifically, in the advanced OSPFv2 settings, add same areas for the two branches, and set the network segment to the network segment of vpntun1. Edit interface settings, and set the network type to point-to-point. Configure route redistribution settings, and select the route type.

Branch1:

Branch2:

Step 6.Configure OSPFv2 on the HQ device. Specifically, in the advanced OSPFv2 settings, add an area the same as those for the two branch devices, and set the network segment to the network segment of vpntun1. Edit interface settings, and set the network type to point-to-multipoint. Configure route redistribution settings, and select the route type.

Step 7.Verify the result. The result shows that the IPsec VPN tunnels are successfully established.

The OSPF adjacency is successfully established, and route learning is correct.

HQ device:

Branch1:

Branch2:

Business access between branch devices is normal.