The following IPsec tunnel settings can be configured
|Name||The tunnel name. You can enter a maximum of 26 characters.|
|Disabled||To manually disable the tunnel, select this check box.|
In this tab, you can edit the following Phase 1 and Phase 2 settings.
|Encryption||The data encryption algorithm.|
|Hash Meth. |
The hash algorithm.
The Diffie-Hellman Group that specifies the type of key exchange. You can select one of the following options:
|Lifetime [sec]||The rekeying time in seconds that the server offers to the partner.|
|Min. Lifetime [sec]||The minimum rekeying time in seconds that the server accepts from its partner.|
|Max. Lifetime [sec]||The maximum rekeying time in seconds that the server accepts from its partner.|
TI - VPN Envelope Policy
This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:
The Band Policy settings rely on connection objects that are assigned to bands in the firewall rule sets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface.
You can select one of the following options:
|Replay Window |
If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings.
|DPD Interval (s)||Sets the time interval in seconds to perform Dead Peer Detection.|
|VPN Next Hop Routing||Enter the IP address of the remote VPN next hop interface. See How to Configure BGP Routing over IPsec VPN for a configuration example.|
Specifies the preferred encryption engine. This allows for load balancing between the CPU and an optional crypto card with more than one tunnel in use. You can select one of the following options:
|Encaps. Mode Auto Detec.||Automatically determines the IPSec encapsulation mode when NAT-T is used.|
By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.
Before using this option, you must first create the indexed VPN interface in the VPN server settings.
In this section, you can add optional parameters for establishing IPsec tunnels. When appending a parameter, first specify the section that the parameter is assigned to. Then specify the new parameter itself in the next line. Enter one single value per line. For example:
The new sections are added to the end of the
isakmpd.conf file. New parameters are added to the top of the specified section.
For more information on the syntax to be used in this field, see the
isakmpd.conf man page at www.openbsd.org/cgi-bin/man.cgi.
Specifies whether the tunnel is active or passive. You can select one of the following options:
Active also implies that incoming VPN connection attempts are accepted.
|Local IKE Gateway||The IP address of the local IKE gateway. If you are using dynamic IP addresses, enter |
From the Identification Type list, you can select one of the following options:
- Shared Secret
- X509 Certificate (CA signed)
- X509 Certificate (explicit)
- Box SCEP Certificate (CA signed)
|Remote IKE |
|The IP address of the remote IKE gateway. If the remote IPsec gateway is connected to the Internet with a dynamic IP address, enter the DDNS (Dynamic Domain Name System) hostname of the gateway.|
|Network Address||To add the network address of the VPN partner, enter it in this field and then click Add.|
Depending on which identification type is selected, different fields are unlocked in the Peer Identification section. For more information on the different authentication options, see Site-to-Site VPN Encryption and Authentication.