On the Site-to-site VPN > IPsec > Connections tab you can create and edit IPsec connections.
To create an IPsec connection, proceed as follows:
On the Connections tab, click New IPsec Connection.
The Add IPsec Connection dialog box opens.
Make the following settings:
Name: Enter a descriptive name for this connection.
Remote gateway: Select a remote gateway definition. Remote gateways are configured on the Site-to-site VPN > IPsec > Remote Gateways tab.
Local interface: Select the name of the interface which is used as the local endpoint of the IPsec tunnel.
Policy: Select the IPsec policy for this IPsec connection. IPsec policies can be defined on the Site-to-site VPN > IPsec > Policies tab.
Local networks: Select or add the local networks that should be reachable through the VPN tunnel. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Automatic firewall rules: By selecting this option you can automatically add firewall rules that allow traffic for this connection. The rules are added as soon as the connection is enabled, and they are removed when the connection is disabled. If you want to use a stricter IPsec connection, disable Automatic firewall rules and use IPsec objects in the firewall rule set instead.
Strict routing: If strict routing is enabled, VPN routing is done according to source and destination IP address (instead of only destination IP address). In this case, only those packets exactly matching the VPN tunnel definition are routed into the VPN tunnel. As a consequence, you cannot use SNAT to add networks or hosts to the VPN tunnel, that are originally not part of the tunnel definition. On the other hand, without strict routing, you cannot have a mixed unencrypted/encrypted setup to the same network from different source addresses.
Bind tunnel to local interface: By default, the option is unselected and all traffic originating from the selected local networks and going to the defined remote networks will always be sent through this IPsec tunnel. It is not possible to have multiple identical tunnels on different interfaces because the selector would always be the same. However, if enabled, the defined IPsec selector will be bound to the selected local interface. Thus it is possible to either bypass IPsec policies with static routes or define redundant IPsec tunnels over different uplinks and use multipath rules to balance traffic over the available interfaces and their IPsec tunnels. Use cases for this setting are for example:
- Bypass IPsec policies for local hosts which belong to the remote network through static interface routes.
- Balance traffic based on layer 3 and layer 4 with multipath rules over multiple IPsec tunnels or MPLS links with automatic failover.
Note – This option cannot be used in combination with an interface group.
Comment (optional): Add a description or other information.
The new connection appears on the IPsec Connections list.
To either edit or delete a connection, click the corresponding buttons.