Select Network > IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of the IKE/IPSec VPN setup.
What do you want to know? See:
Manage IPsec VPN tunnels. IPSec VPN Tunnel Management
Configure an IPsec tunnel. IPSec Tunnel General Tab
IPSec Tunnel Proxy IDs Tab
View IPsec tunnel status. IPSec Tunnel Status on the Firewall
Restart or refresh an IPsec tunnel. IPSec Tunnel Restart or Refresh
Looking for more? Set up an IPSec tunnel
IPSec VPN Tunnel Management
The following table describes how to manage your IPSec VPN tunnels.
Fields to Manage IPSec VPN Tunnels Description
Add To create a new IPSec VPN tunnel, click Add. See IPSec Tunnel General Tab for instructions on configuring the new tunnel.
Delete To delete a tunnel, select the tunnel and click Delete.
Enable To enable a tunnel that has been disabled, select the tunnel and click Enable, which is the default setting for a tunnel.
Disable To disable a tunnel, select the tunnel and click Disable.
IPSec Tunnel General Tab
The following table describes the IPSec tunnel general settings.
IPSec Tunnel General Setting Description
Name Enter a Name to identify the tunnel (up to 63 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. The 63-character limit for this field includes the tunnel name in addition to the Proxy ID, which is separated by a colon character.
Tunnel Interface Select an existing tunnel interface, or click New Tunnel Interface. For information on creating a tunnel interface, refer to Network > Interfaces > Tunnel.
IPv4 or IPv6 Select IPv4 or IPv6 to configure the tunnel to have endpoints with that IP type of address.
Type Select whether to use an automatically generated or manually entered security key. Auto key is recommended.
Auto Key If you choose Auto Key, specify the following: IKE Gateway —Refer to Network > Network Profiles > IKE Gateways for descriptions of the IKE gateway settings. IPSec Crypto Profile —Select an existing profile or keep the default profile. To define a new profile, click New and follow the instructions in Network > Network Profiles > IPSec Crypto. Click Show Advanced Options to access the remaining fields. Enable Replay Protection —Select this option to protect against replay attacks. Copy TOS Header —Copy the (Type of Service) TOS field from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information. This option also copies the Explicit Congestion Notification (ECN) field. Tunnel Monitor —Select this option to alert the device administrator of tunnel failures and to provide automatic failover to another interface. Note that you need to assign an IP address to the tunnel interface for monitoring. Destination IP —Specify an IP address on the other side of the tunnel that the tunnel monitor will use to determine if the tunnel is working properly. Profile —Select an existing profile that will determine the actions that are taken if the tunnel fails. If the action specified in the monitor profile is wait-recover, the firewall will wait for the tunnel to become functional and will NOT seek an alternate path with the route table. If the fail-over action is used, the firewall will check the route table to see if there is an alternate route that can be used to reach the destination. For more information, see Network > Network Profiles > Monitor.
Manual Key If you choose Manual Key, specify the following: Local SPI —Specify the local security parameter index (SPI) for packet traversal from the local firewall to the peer. SPI is a hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows. Interface —Select the interface that is the tunnel endpoint. Local Address —Select the IP address for the local interface that is the endpoint of the tunnel. Remote SPI —Specify the remote security parameter index (SPI) for packet traversal from the remote firewall to the peer. Protocol —Choose the protocol for traffic through the tunnel ( ESP or AH). Authentication —Choose the authentication type for tunnel access ( SHA1, SHA256, SHA384, SHA512, MD5, or None). Key/Confirm Key —Enter and confirm an authentication key. Encryption —Select an encryption option for tunnel traffic ( 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, des, or null [no encryption]). Key/Confirm Key —Enter and confirm an encryption key.
GlobalProtect Satellite If you choose GlobalProtect Satellite, specify the following: Name —Enter a name to identify the tunnel (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Tunnel Interface —Select an existing tunnel interface, or click New Tunnel Interface. Portal Address —Enter the IP address of the GlobalProtect™ Portal. Interface —Select the interface from the drop-down that is the egress interface to reach the GlobalProtect Portal. Local IP Address —Enter the IP address of the egress interface that connects to the GlobalProtect Portal. Advanced Options Publish all static and connected routes to Gateway —Select this option to publish all routes from the satellite to the GlobalProtect Gateway in which this satellite is connected. Subnet —Click Add to manually add local subnets for the satellite location. If other satellites are using the same subnet information, you must NAT all traffic to the tunnel interface IP. Also, the satellite must not share routes in this case, so all routing will be done through the tunnel IP. External Certificate Authority —Select this option if you will use an external CA to manage certificates. Once you have your certificates generated, you will need to import them into the satellite and select the Local Certificate and the Certificate Profile.
IPSec Tunnel Proxy IDs Tab
The IPSec Tunnel Proxy IDs tab is separated into two tabs— IPv4 and IPv6. The help is similar for both types; the differences between IPv4 and IPv6 are described in the Local and Remote fields in the following table.
The IPSec Tunnel Proxy IDs tab is also used for specifying traffic selectors for IKEv2.
Proxy IDs IPv4 and IPv6 Setting Description
Proxy ID Click Add and enter a name to identify the proxy. For an IKEv2 traffic selector, this field is used as the Name.
Local For IPv4: Enter an IP address or subnet in the format x.x.x.x/mask (for example, 10.1.2.0/24). For IPv6: Enter an IP address and prefix length in the format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefix-length (or per IPv6 convention, for example, 2001:DB8:0::/48). IPv6 addressing does not require that all zeros be written; leading zeros can be omitted and one grouping of consecutive zeros can be replaced by two adjacent colons (::). For an IKEv2 traffic selector, this field is converted to Source IP Address.
Remote If required by the peer: For IPv4, enter an IP address or subnet in the format x.x.x.x/mask (for example, 10.1.1.0/24). For IPv6, enter an IP address and prefix length in the format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefix-length (or per IPv6 convention, for example, 2001:DB8:55::/48). For an IKEv2 traffic selector, this field is converted to Destination IP Address.
Protocol Specify the protocol and port numbers for the local and remote ports: Number —Specify the protocol number (used for interoperability with third-party devices). Any —Allow TCP and/or UDP traffic. TCP —Specify the local and remote TCP port numbers. UDP —Specify the local and remote UDP port numbers. Each configured proxy ID will count towards the IPSec VPN tunnel capacity of the firewall. This field is also used as an IKEv2 traffic selector.
IPSec Tunnel Status on the Firewall
To view the status of currently defined IPSec VPN tunnels, open the IPSec Tunnels page. The following status information is reported on the page:
Tunnel Status (first status column) —Green indicates an IPSec phase-2 security association (SA) tunnel. Red indicates that IPSec phase-2 SA is not available or has expired. IKE Gateway Status —Green indicates a valid IKE phase-1 SA or IKEv2 IKE SA. Red indicates that IKE phase-1 SA is not available or has expired. Tunnel Interface Status —Green indicates that the tunnel interface is up (because tunnel monitor is disabled or because tunnel monitor status is UP and the monitoring IP address is reachable). Red indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote tunnel monitoring IP address is unreachable.
IPSec Tunnel Restart or Refresh
Select Network > IPSec Tunnels to display status of tunnels. In the first Status column is a link to the Tunnel Info . Click the tunnel you want to restart or refresh to open the Tunnel Info page for that tunnel. Click on one of entries in the list and then click:
Restart —Restart the selected tunnel. A restart disrupts traffic going across the tunnel. Refresh —Show the current IPSec SA status.

Related Documentation