Add a VPN Tunnel

Enter the name of the VPN tunnel.

The name must be unique per device, with a maximum length of 32 characters. The tunnel name must start with an alphabetical character and can consist of characters (A-Z, a-z), digits (0-9), hyphen (-), period (.), and underscore (_).

Select the Enabled checkbox to use the tunnel on the system now or leave the box un-checked to save the tunnel configuration for later.

A disabled tunnel is counted towards the maximum number of allowed tunnels. However, this allows you to save the tunnel configuration if the tunnel is needed at a later stage.

Enter the shared secret key for Phase 1 Internet Key Exchange (IKE) authentication. This key must not be longer than 32 characters.

Note: If you allow your browser to remember the password for this page, it may automatically supply the saved shared secret when you submit the page even if you typed a new shared secret. To ensure that the correct shared secret is used, never allow the browser to remember the password on this page.

Enter the WAN IP address for the device in the Local VPN Gateway field. Or Enter the WAN_IP token.

This allows the tunnel to use the correct WAN IP address even if features such as DHCP or PPP are used where the IP address may change dynamically.

Enter the address of the local subnet that is protected by this tunnel in network/mask or network/bits format. Example: 10.10.10.0/255.255.255.0 or 10.10.10.0/24.

When VLANs are configured on the system, the appropriate VLAN network designation should be configured as the protected local network. Note that only traffic originating from that local VLAN will be allowed to traverse the VPN tunnel. All other traffic from Local VLANs are blocked from entering the tunnel, and will use the appropriate system routes (default or discrete network or host routes). Similarly, only traffic bound to that VLAN through the tunnel i routed to the destination IP address. All other traffic arriving from the remote protected network will not be routed.

If you use %any, any remote site is allowed to connect (given that it has the correct credentials and settings).

Note: You cannot use Early Start if you specified %any in the Remote VPN Gateway field; you must specify an IP address in the Remote VPN Gateway field to use Early Start.

Because the remote address is not known, the tunnel cannot be established until the remote gateway sets up the tunnel. In addition, all tunnels using %any share the same Shared Secret. If the Shared Secret is changed for one tunnel using the token %any, it will automatically be changed for all tunnels using the token %any.

Note: A new VPN tunnel configuration requires that you select the Early Start checkbox in order to initialize the tunnel.

Protected Remote Network

Enter the IP address of the remote subnet protected by the tunnel, in network/mask or network/bits format. Example: 10.10.10.0/255.255.255.0. or 10.10.10.0/24.

Note: The Remote Protected Network can be a supernet of the Local networks (LAN, VLAN, and subinterface networks), but it cannot be the same as, or a subnet of, the Local networks.

Choose the Diffie-Hellman (DH) group to use for Phase 1 and Phase 2. Supported values:

• DH Group 5 (1536-bit key)

• DH Group 14 (2048-bit key)

• DH Group 19 (256-bit key)
• DH Group 20 (384-bit key)
• DH Group 21 (521-bit key)

To manage DH settings, choose Network > Firewall Traversal and refer to Configuring Diffie-Hellman Parameters.

Choose the cipher and hash algorithms to use for Phase 1 (IKE) encryption. Supported settings:

• 3DES or AES for cipher

• MD5 or SHA1 for hash

Choose the cipher and hash algorithms to use for Phase 2 Encapsulating Security Payload (ESP) encryption. Supported settings:

• 3DES or AES for cipher

• MD5 or SHA1 for hash

Enter the time that the keying channel (ISAKMP SA) should last before being renegotiated. Valid range for the Phase 1 Lifetime is 600-28800 seconds.

Enter the time that the connection (IPsec SA) should last before being renegotiated. Valid range for the Phase 2 Lifetime is 600-86400 seconds.

Perfect Forward Secrecy

Select the Perfect Forward Secrecy checkbox to ensure proper IKE negotiation.

PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy.

IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. To configure the adaptive security appliance for virtual private networks, you set global IKE parameters that apply system wide, and you also create IKE policies that the peers negotiate to establish a VPN connection.

PFS must be enabled on both sides of the tunnel; if you enable one side, the other side must also have it enabled.

Select the Early Start checkbox to initiate VPN gateway key negotiation when you click Apply or when the gateway reboots.

If Early Start is not selected, the local gateway defers the key negotiation until the remote VPN gateway starts key negotiation or a packet from the protected local network attempts to pass through the tunnel.

Note: You cannot use Early Start if you specified %any in the Remote VPN Gateway field; you must specify an IP address in the Remote VPN Gateway field to use Early Start.

A new VPN tunnel configuration requires that you select the Early Start checkbox in order to initialize the tunnel.

Keepalive Ping (Optional)

This option is used when you enter valid IP Addresses in the “Source IP Address” and “Destination IP Address” fields. These addresses should be IP Addresses from local and remote subnetworks, respectively. This option checks for success of VPN tunnel by sending ping from Source to Destination IP address. In case, ping does not work for 9 times, the last Security Associations are deleted and the IPsec daemon is restarted and a fresh tunnel is created.

Destination IP
address