The following IKEv1 IPsec tunnel settings can be configured:
|Name||The tunnel name. You can enter a maximum of 26 characters.|
|Disabled||To manually disable the tunnel, select this check box.|
|IPv6||Enable to use IPv6 addresses for the VPN tunnel envelope|
In this tab, you can edit the following Phase 1 and Phase 2 settings.
|Encryption||The data encryption algorithm.|
|Hash Meth. |
The hash algorithm.
The Diffie-Hellman Group that specifies the type of key exchange. The Barracuda CloudGen Firewall supports Group1 to Group18.
|Lifetime [sec]||The re-keying time in seconds that the server offers to the partner.|
|Min. Lifetime [sec]||The minimum re-keying time in seconds that the server accepts from its partner.|
|Max. Lifetime [sec]||The maximum re-keying time in seconds that the server accepts from its partner.|
|Enable Perfect Forward Secrecy||Toggle to enable or disable PFS. The remote gateway mus also support PFS.|
SD-WAN - VPN Envelope Policy
This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:
The Band Policy settings rely on connection objects that are assigned to bands in the firewall rulesets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface.
You can select one of the following options:
|Replay Window |
If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings. Set to
|DPD intervals [s]||Enter the number of seconds between sending IKE notify checks if the peer is still available. Default 5 sec.|
Specifies the preferred encryption engine. This allows for load balancing between the CPU and an optional cryptocard with more than one tunnel in use. You can select one of the following options:
By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.
Before using this option, you must first create the indexed VPN interface in the VPN Settings.
|VPN Next Hop Routing||Enter the IP address of the remote VPN tunnel interface that is reachable via the vpnr interface using the index entered as the Interface Index.|
|NAT-T Autodetect||Attempt to detect the UDP NAT-T type supported by the remote VPN gateway.|
In this section, you can add optional parameters for establishing IPsec tunnels. When appending a parameter, first specify the section that the parameter is assigned to. Then, specify the new parameter itself in the next line. Enter one single value per line. For example:
The new sections are added to the end of the
isakmpd.conf file. New parameters are added to the top of the specified section.
For more information on the syntax to be used in this field, see the
isakmpd.conf man page at www.openbsd.org/cgi-bin/man.cgi.
Specifies whether the tunnel is active or passive. You can select one of the following options:
Active also implies that incoming VPN connection attempts are accepted.
|Local IKE Gateway||The IP address of the local IKE gateway. If you are using dynamic IP addresses, enter |
|Remote IKE |
|The IP address of the remote IKE gateway. If the remote IPsec gateway is connected to the Internet with a dynamic IP address, enter the DDNS (Dynamic Domain Name System) hostname of the gateway.|
|Network Address||To add the network address of the VPN partner, enter it in this field and then click Add.|
Depending on which identification type is selected, different fields are unlocked in the Peer Identification section.
|Shared Secret||Enter the shared passphrase used to authenticate. Passphrases using the hash (#) character are not accepted.|
|CA Root||Select the root certificate used to validate the certificate.|
|X509 Condition||Enter the certificate key patterns the certificate is required to match when X.509 certificate authentication is used.|
Import an explicit certificate for X.509 certificate authentication.