Set Up an IPSec Tunnel

The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses the tunnel.
If you are setting up the firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the firewall supports route-based VPN, the default values used as Proxy-ID are source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged with the peer, it results in a failure to set up the VPN connection.
  1. Select
    Network
    IPSec Tunnels
    and then
    Add
    a new tunnel configuration.
  2. On the
    General
    tab, enter a
    Name
    for the tunnel.
  3. Select the
    Tunnel interface
    on which to set up the IPSec tunnel.
    To create a new tunnel interface:
    1. Select
      Tunnel Interface
      New Tunnel Interface
      . (You can also select
      Network
      Interfaces
      Tunnel
      and click
      Add
      .)
    2. In the
      Interface Name
      field, specify a numeric suffix, such as
      .2
      .
    3. On the
      Config
      tab, select the
      Security Zone
      list to define the zone as follows:
    Use your trust zone as the termination point for the tunnel
    —Select the zone. Associating the tunnel interface with the same zone (and virtual router) as the external-facing interface on which the packets enter the firewall mitigates the need to create inter-zone routing.
    Or:
    Create a separate zone for VPN tunnel termination
    (
    Recommended
    )—Select
    New Zone
    , define a
    Name
    for the new zone (for example vpn-corp), and click
    OK
    .
    1. For
      Virtual Router
      , select
      default
      .
    2. (
      Optional
      ) If you want to assign an IPv4 address to the tunnel interface, select the
      IPv4
      tab, and
      Add
      the IP address and network mask, for example 10.31.32.1/32.
    3. Click
      OK
      .
  4. (
    Optional
    ) Enable IPv6 on the tunnel interface.
    1. Select the IPv6 tab on
      Network
      Interfaces
      Tunnel
      IPv6
      .
    2. Select
      Enable IPv6 on the interface
      .
      This option allows you to route IPv6 traffic over an IPv4 IPSec tunnel and will provide confidentiality between IPv6 networks. The IPv6 traffic is encapsulated by IPv4 and then ESP. To route IPv6 traffic to the tunnel, you can use a static route to the tunnel, or use OSPFv3, or use a Policy-Based Forwarding (PBF) rule.
    3. Enter the 64-bit extended unique
      Interface ID
      in hexadecimal format, for example, 00:26:08:FF:FE:DE:4E:29. By default, the firewall will use the EUI-64 generated from the physical interface’s MAC address.
    4. To assign an IPv6
      Address
      to the tunnel interface,
      Add
      the IPv6 address and prefix length, for example 2001:400:f00::1/64. If Prefix is not selected, the IPv6 address assigned to the interface will be wholly specified in the address text box.
      1. Select
        Use interface ID as host portion
        to assign an IPv6 address to the interface that will use the interface ID as the host portion of the address.
      2. Select
        Anycast
        to include routing through the nearest node.
  5. Set up key exchange.
    On the
    General
    tab, configure one of the following types of key exchange:
    Set up Auto Key exchange
    1. Select the IKE Gateway. To set up an IKE gateway, see Set Up an IKE Gateway.
    2. (
      Optional
      ) Select the default IPSec Crypto Profile. To create a new IPSec Profile, see Define IPSec Crypto Profiles.
    Set up Manual Key exchange
    1. Specify the
      Local SPI
      for the local firewall. SPI is a 32-bit hexadecimal index that is added to the header for IPSec tunneling to assist in differentiating between IPSec traffic flows; it is used to create the SA required for establishing a VPN tunnel.
    2. Select the
      Interface
      that will be the tunnel endpoint, and optionally select the IP address for the local interface that is the endpoint of the tunnel.
    3. Select the protocol to be used—
      AH
      or
      ESP
      .
    4. For AH, select the
      Authentication
      method and enter a
      Key
      and then
      Confirm Key
      .
    5. For ESP, select the
      Authentication
      method and enter a
      Key
      and then
      Confirm Key
      . Then, select the
      Encryption
      method and enter a
      Key
      and then
      Confirm Key
      , if needed.
    6. Specify the
      Remote SPI
      for the remote peer.
    7. Enter the
      Remote Address
      , the IP address of the remote peer.
  6. Protect against a replay attack.
    A replay attack occurs when a packet is maliciously intercepted and retransmitted by the interceptor.
    On the General tab, select
    Show Advanced Options
    and select
    Enable Replay Protection
    to detect and neutralize against replay attacks.
  7. (
    Optional
    ) Preserve the Type of Service header for the priority or treatment of IP packets.
    In the Show Advanced Options section, select
    Copy TOS Header
    . This copies the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information.
    If there are multiple sessions inside the tunnel (each with a different TOS value), copying the TOS header can cause the IPSec packets to arrive out of order.
  8. (
    Optional
    ) Select
    Add GRE Encapsulation
    to enable GRE over IPSec.
    Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic. For example, some implementations require multicast traffic to be encapsulated before IPSec encrypts it. Add GRE Encapsulation when the GRE packet encapsulated in IPSec has the same source IP address and destination IP address as the encapsulating IPSec tunnel.
  9. Enable Tunnel Monitoring.
    You must assign an IP address to the tunnel interface for monitoring.
    To alert the device administrator to tunnel failures and to provide automatic failover to another tunnel interface:
    1. Select
      Tunnel Monitor
      .
    2. Specify a
      Destination IP
      address on the other side of the tunnel to determine if the tunnel is working properly.
    3. Select a
      Profile
      to determine the action upon tunnel failure. To create a new profile, see Define a Tunnel Monitoring Profile.
  10. Create a Proxy ID to identify the VPN peers.
    This step is required only if the VPN peer uses policy-based VPN.
    1. Select
      Network
      IPSec Tunnels
      and click
      Add
      .
    2. Select the
      Proxy IDs
      tab.
    3. Select the
      IPv4
      or
      IPv6
      tab.
    4. Click
      Add
      and enter the
      Proxy ID
      name.
    5. Enter the
      Local
      IP address or subnet for the VPN gateway.
    6. Enter the
      Remote
      address for the VPN gateway.
    7. Select the
      Protocol
      :
      • Number
        —Specify the protocol number (used for interoperability with third-party devices).
      • Any
        —Allows TCP and/or UDP traffic.
      • TCP
        —Specify the Local Port and Remote Port numbers.
      • UDP
        —Specify the Local Port and Remote Port numbers.
    8. Click
      OK
      .
  11. Commit your changes.
    Click
    OK
    and
    Commit
    .

Recommended For You