Set up an IPSec tunnel for authentication and encryption of data. Define proxy IDs
for policy-based VPN peers and ensure successful IKE and IPSec negotiations.
Where Can I Use
What Do I Need?
No license required
The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP
packet) as it traverses the tunnel.
If you’re setting up the firewall to work with a peer that supports policy-based VPN,
you must define Proxy IDs. Devices that support policy-based VPN use specific
security rules/policies or access-lists (source addresses, destination addresses,
and ports) for permitting interesting traffic through an IPSec tunnel. These rules
are referenced during quick mode or IKE phase 2 negotiation, and are exchanged as
proxy IDs in the first or the second message of the process. So, if you’re
configuring the firewall to work with a policy-based VPN peer, for a successful
phase 2 negotiation you must define the proxy ID so that the setting on both peers
is identical. If the proxy ID isn’t configured, because the firewall supports
route-based VPN, the default values used as proxy ID are source ip: 0.0.0.0/0,
destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged
with the peer, it results in a failure to set up the VPN connection.
To establish an IPSec tunnel successfully, both IKE and IPSec negotiations should be
The IKE negotiation will be successful only when both VPN peers exchange
compatible IKE parameters.
The IKE Phase 2 (IPSec) negotiation will be successful only when both VPN peers
exchange compatible IPSec parameters.