IPsec connections

Create and manage IPsec VPN connections and failover groups.

Internet Protocol Security (IPsec) is a suite of protocols that support cryptographically secure communication at the IP layer. With IPsec connections, you can provide secure access between two hosts, two sites, or remote users and a LAN. XG Firewall supports IPsec as defined in RFC 4301.

  • To add a connection, in addition to Add, you can use the Wizard.
  • To turn a connection on, click the Active status indicator.
  • To connect, click the Connection status indicator.
  • To download a connection, click Download .
Table 1. Connection status indicators




Connection is active but not connected.

Connection is active and connected.

Connection is active but only partially connected. When multiple subnets are configured for the LAN or remote network, the device creates a sub-connection for each subnet. This status indicates that one of the sub-connections is not active.

Connection is inactive.

Failover groups

A failover group is a sequence of IPsec connections.If the primary connection fails, the secondary (or subsequent) active connection in the group automatically takes over and keeps traffic moving.

During a connection failure, the firewall checks the health of a primary connection every 60 seconds. When the primary connection is restored, the secondary connection falls back to its original position in the group.

  • To activate a group and establish the primary connection, click the Active status indicator .

Turning off a failover group disables the active tunnel used in that group.