IPsec connections

Create and manage IPsec VPN connections and failover groups.

Internet Protocol Security (IPsec) is a suite of protocols that support cryptographically secure communication at the IP layer. With IPsec connections, you can provide secure access between two hosts, two sites, or remote users and a LAN. XG Firewall supports IPsec as defined in RFC 4301.

  • To add a connection, in addition to Add, you can use the wizard.
  • To turn a connection on, click the Active status indicator.
  • To connect, click the Connection status indicator.
  • To download a connection, click Download Download button.
Table 1. Connection status indicators




Button showing active status

Icon showing connections aren't established

Connection is active but not connected.

Button showing active status

Icon showing connections are established

Connection is active and connected.

Button showing active status

Icon showing at least one connection's not established

Connection is active but only partially connected. When multiple subnets are configured for the LAN or remote network, the device creates a sub-connection for each subnet. This status indicates that one of the sub-connections is not active.

Button showing inactive status

Icon showing connections aren't established

Connection is inactive.

Failover groups

A failover group is a sequence of IPsec connections. If the primary connection fails, the secondary (or subsequent) active connection in the group automatically takes over and keeps the traffic moving.

During a connection failure, the firewall checks the health of the primary connection every 60 seconds. When the primary connection is restored, the secondary connection falls back to its original position in the group.

  • To activate a group and establish the primary connection, click the Status indicator Button to change status.

Turning off a failover group disables the active tunnel used in that group.

Route-based vs policy-based VPN

Route-based VPNs use the routing table to determine which traffic should be sent over the VPN tunnel. You don't need to define the local and remote subnets in the VPN configuration. A route-based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings. This cuts down on the maintenance overhead required if your network configuration changes at either site, and makes it easier to scale a route-based solution in environments with a large number of VPN connections. Not all devices support route-based VPNs. For example, if you're not using an XG Firewall as your remote device you might not be able to use route-based VPNs.

Policy-based VPNs do not use the routing table. Instead traffic is routed between networks configured in the VPN settings and based on policies defined within firewall rules. They require more maintenance if your networks change. You need to update the configuration on both the local and remote XG Firewall.