Add an IPsec connection

  1. Go to VPN > IPsec connections and click Add.
  2. Type a name.
  3. Specify general settings.
    OptionDescription
    IP version IP version to be supported by the tunnel. The tunnel will pass only the data that uses the specified IP version.
    Connection type Remote access Establishes a secure connection between individual hosts and a private network over the internet. This type of connection is typically used by employees who need to connect to the company network from an off-site location. To establish a remote connection, remote users must have VPN client software.

    Site-to-site Establishes a secure connection between an entire network (for example, a LAN or WAN) and a remote network over the internet. This type of connection is frequently used to connect a branch office to corporate headquarters.

    Host-to-host Establishes a secure connection between two hosts, for example, one desktop computer to another desktop computer.

    Gateway type Action to take when the VPN service or device restarts.

    Disable Keep the connection disabled until the user activates it.

    Respond only Keep the connection ready to respond to any incoming request.

    Initiate the connection Establish the connection every time VPN services or the device restart.

    Activate on save Activate the connection when you click Save.
    Create firewall rule Create a firewall rule for this connection.
    Note A corresponding firewall rule is automatically created if you select the check box. Review the rule position in the firewall rule list. Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. When matching criteria overlap for the new and existing rules, policies and actions of the new rule apply, leading to unplanned outcomes, such as failure in mail delivery or tunnels not being established.
  4. Specify encryption settings.
    OptionDescription
    Policy IPsec profile to use for the traffic.
    Authentication type Authentication to use for the connection.

    Preshared key Authenticate endpoints using the secret known to both endpoints.

    Digital certificate Authenticate endpoints by exchanging certificates (either self-signed or issued by a certificate authority).

    RSA key Authenticate endpoints using RSA keys.
    Local certificate Certificate to be used for authentication by the firewall.
    Remote certificate Certificate to be used for authentication by the remote peer.
    Note Do not use a public CA as remote CA certificate for encryption. This poses a security threat to your connection since unauthorized people could get a valid certificate from that CA.
  5. Specify local gateway settings.
    OptionDescription
    Listening interface Interface that listens for connection requests.
    Local ID For preshared key, select an ID type and type a value.
    Local subnet Local network(s) to which you want to provide remote access.
    Network address translation Enable NAT traversal if a NAT device exists between your endpoints, that is, when the remote peer has a private or non-routable IP address.
  6. Specify remote gateway settings.
    OptionDescription
    Gateway address IP address and port of the remote gateway. (To specify any port, type “*”.)
    Remote ID For preshared key, select an ID type and type a value.
    Remote subnet Remote networks to which you want to provide access.
  7. Specify advanced settings.
    OptionDescription
    User authentication mode Authentication of VPN clients required by XAUTH.

    None Authentication not required.

    As client User name and password required for authentication by the remote gateway.

    As server All users who are to be allowed to connect.

    Disconnect when idle Disconnect idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which idle clients will be disconnected.
  8. Click Save.