IPSec Tunnel General Tab

  • Network > IPSec Tunnels > General
Use the following fields to set up an IPSec tunnel.
IPSec Tunnel General Settings
Description
Name
Enter a Name to identify the tunnel (up to 63 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
The 63-character limit for this field includes the tunnel name in addition to the Proxy ID, which is separated by a colon character.
Tunnel Interface
Select an existing tunnel interface, or click New Tunnel Interface. For information on creating a tunnel interface, refer to Network > Interfaces > Tunnel.
IPv4 or IPv6
Select IPv4 or IPv6 to configure the tunnel to have endpoints with that IP type of address.
Type
Select whether to use an automatically generated or manually entered security key. Auto key is recommended.
Auto Key
If you choose Auto Key, specify the following:
  • IKE Gateway—Refer to Network > Network Profiles > IKE Gateways for descriptions of the IKE gateway settings.
  • IPSec Crypto Profile—Select an existing profile or keep the default profile. To define a new profile, click New and follow the instructions in Network > Network Profiles > IPSec Crypto.
  • Click Show Advanced Options to access the remaining fields.
  • Enable Replay Protection—Select to protect against replay attacks.
  • Copy TOS Header—Copy the (Type of Service) TOS field from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information. This also copies the Explicit Congestion Notification (ECN) field.
  • Add GRE Encapsulation—Select to add a GRE header encapsulated in the IPSec tunnel. The firewall generates a GRE header after the IPSec header for interoperability with other vendor tunnel endpoints, thus sharing a GRE tunnel with the IPSec tunnel.
  • Tunnel Monitor—Select to alert the device administrator of tunnel failures and to provide automatic failover to another interface.
    You need to assign an IP address to the tunnel interface for monitoring.
    • Destination IP—Specify an IP address on the other side of the tunnel that the tunnel monitor will use to determine if the tunnel is working properly.
    • Profile—Select an existing profile that will determine the actions that are taken if the tunnel fails. If the action specified in the monitor profile is wait-recover, the firewall will wait for the tunnel to become functional and will NOT seek an alternate path with the route table. If the fail-over action is used, the firewall will check the route table to see if there is an alternate route that can be used to reach the destination. For more information, see Network > Network Profiles > Monitor.
Manual Key
If you choose Manual Key, specify the following:
  • Local SPI—Specify the local security parameter index (SPI) for packet traversal from the local firewall to the peer. SPI is a hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows.
  • Interface—Select the interface that is the tunnel endpoint.
  • Local Address—Select the IP address for the local interface that is the endpoint of the tunnel.
  • Remote SPI—Specify the remote security parameter index (SPI) for packet traversal from the remote firewall to the peer.
  • Protocol—Choose the protocol for traffic through the tunnel (ESP or AH).
  • Authentication—Choose the authentication type for tunnel access (SHA1, SHA256, SHA384, SHA512, MD5, or None).
  • Key/Confirm Key—Enter and confirm an authentication key.
  • Encryption—Select an encryption option for tunnel traffic (3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, des, or null [no encryption]).
  • Key/Confirm Key—Enter and confirm an encryption key.
GlobalProtect Satellite
If you choose GlobalProtect Satellite, specify the following:
  • Name—Enter a name to identify the tunnel (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  • Tunnel Interface—Select an existing tunnel interface, or click New Tunnel Interface.
  • Portal Address—Enter the IP address of the GlobalProtect™ Portal.
  • Interface—Select the interface from the drop-down that is the egress interface to reach the GlobalProtect Portal.
  • Local IP Address—Enter the IP address of the egress interface that connects to the GlobalProtect Portal.
  • Advanced Options
  • Publish all static and connected routes to Gateway—Select to publish all routes from the satellite to the GlobalProtect Gateway in which this satellite is connected.
  • Subnet—Click Add to manually add local subnets for the satellite location. If other satellites are using the same subnet information, you must NAT all traffic to the tunnel interface IP. Also, the satellite must not share routes in this case, so all routing will be done through the tunnel IP.
  • External Certificate Authority—Select if you will use an external CA to manage certificates. Once you have your certificates generated, you will need to import them into the satellite and select the Local Certificate and the Certificate Profile.

Related Documentation