Add an IPsec connection

You want to create a VPN connection of one of these types:
  • Remote access
  • Site-to-site
  • Host-to-host
  • Tunnel interface
  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Specify general settings.
    OptionDescription
    IP version IP version to be supported by the tunnel. The tunnel will pass only the data that uses the specified IP version.
    Connection type

    Remote access: Establishes a secure connection between individual hosts and a private network over the internet. This type of connection is typically used by employees who need to connect to the company network from an off-site location. To establish a remote connection, remote users must have VPN client software.

    Site-to-site: Establishes a secure connection between an entire network (for example, a LAN or WAN) and a remote network over the internet. This type of connection is frequently used to connect a branch office to corporate headquarters.

    Host-to-host: Establishes a secure connection between two hosts, for example, one desktop computer to another desktop computer.

    Tunnel interface: Use for route-based VPN. Creates a tunnel interface between two endpoints. You can then use static or dynamic routing with that interface. The interface name is xfrm followed by a number.
    Gateway type

    Action to take when the VPN service or device restarts.

    Disable: Keeps the connection disabled until the user activates it.

    Respond only: Keeps the connection ready to respond to any incoming request.

    Initiate the connection: Establishes the connection every time VPN services or the device restart.

    We recommend you set the gateway at your main location to Respond only and the gateway at your remote locations to Initiate the connection. This means you can troubleshoot connection errors more easily using the log entries generated by the initiating device.
    Activate on save Activates the connection when you click Save.
    Create firewall rule

    Creates a firewall rule automatically for this connection.
    Note A corresponding firewall rule is automatically created if you select the check box. Review the rule position in the firewall rule list. Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. When matching criteria overlap for the new and existing rules, policies and actions of the new rule will apply, leading to unplanned outcomes, such as failure in mail delivery or tunnels not being established.
  4. Specify encryption settings.
    OptionDescription
    Policy IPsec profile to use for the traffic.
    Authentication type Authentication to use for the connection.

    Preshared key: Authenticates endpoints using the secret known to both endpoints.

    Digital certificate: Authenticates endpoints by exchanging certificates (either self-signed or issued by a certificate authority).

    RSA key: Authenticates endpoints using RSA keys.
    Local certificate Certificate to be used for authentication by the firewall.
    Remote certificate Certificate to be used for authentication by the remote peer.
    Note Do not use a public CA as remote CA certificate for encryption. This poses a security threat to your connection since unauthorized people could get a valid certificate from that CA.
  5. Specify local gateway settings.
    OptionDescription
    Listening interface Interface that listens for connection requests.
    Local ID type For preshared and RSA keys, select an ID type and type a value for Local ID.
    Local subnet Local networks to which you want to provide remote access. This option is only available for policy-based VPNs.
  6. Specify remote gateway settings.
    OptionDescription
    Gateway address IP address and port of the remote gateway. (To specify any port, type *.)
    Remote ID type For preshared and RSA keys, select an ID type and type a value for Remote ID.
    Remote subnet Remote networks to which you want to provide access.

    This option is only available for policy-based VPNs.
  7. Optional Specify network address translation.

    Use Network Address Translation (NAT) if you have a subnet that's common to the local and the remote network. Addresses from the common subnet are translated into addresses from the local subnet so that traffic from the common network is routed through the VPN tunnel. You can only use this option with policy-based VPNs.

    • Translated subnet: Shows the local subnets you specified above.
    • Original subnet: Select a subnet that is common to your local and the remote sites. This subnet must be defined under Hosts and services > IP host.
  8. Specify the advanced settings.
    OptionDescription
    User authentication mode Authentication of VPN clients required by XAUTH.

    None: Authentication not required.

    As client: User name and password required for authentication by the remote gateway.

    As server: All users who are to be allowed to connect.
    Disconnect when idle Disconnects idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which idle clients will be disconnected.
  9. Click Save.