Under
you can add an IPsec connection or edit an existing connection.In the Connection editing window you can modify the following parameters:
Input box | Description |
---|---|
I/0 | A slider button indicates whether the IPsec connection is enabled (I) or disabled (0). Click on the slider button to change the status of this connection. A new connection is enabled by default. |
Name | Enter a unique name for this connection. This must consist of 1 – 63 alphanumeric characters and underscores. |
Template | Optionally you can select one of the predefined templates. All settings are then taken from the template. Values that were not set in the template are reset. The template "(empty)" can be used to reset all values. |
Security profile | Select one of the predefined security profiles. |
In the Connection tab you modify the following fields:
Input box | Description |
---|---|
Connection | By optionally selecting a network or Internet connection, its IP addresses will be used for the IPsec connection. |
Listening IP addresses | As an alternative to Connection, you can also enter user-specified IP addresses. Click on on the right-hand side to add your entry to the list. If IP addresses are entered here, the Connection setting is ignored. If neither Connection nor Listening IP addresses are set, the IPsec service will automatically use one of the configured IP addresses of all connections. |
Remote gateways | This address or list of addresses is necessary for the Initiate connection option in order to determine the address of the remote site. |
Initiate connection | The firewall will connect to the address specified in the Remote gateway field. |
Force NAT-T | NAT-T is usually set automatically if the connection requires it. If that mechanism fails, this option forces the use of NAT-T on a connection. |
In the Tunnels tab you modify the following fields:
Input box | Description |
---|---|
Local networks | Local networks to be connected to the remote site. Click on on the right-hand side to add your entry to the list. |
Remote networks |
Remote networks to connect to the local area networks. Click on on the right-hand side to add your entry to the
list.
Important: All of the configured local networks are connected to all of the configured remote
networks. For IKEv1 connections and IKEv2 connections with the option IKEv2 compatibility
mode enabled, the maximum number of combinations is limited to 25. There is no limit for
IKEv2 with the option IKEv2 compatibility mode disabled.
|
Virtual IP pool | The remote site is assigned an IP address from the configured IP pool. |
Virtual IP |
Assign a specific IP address to the remote site.
Important: The options Remote networks. Virtual IP
pool and Virtual IP should not be used together
|
IKEv2 compatibility mode | Instead of sending all configured local and remote networks through a single tunnel, a single tunnel is created for each connection between two networks (as with IKEv1). This option only applies to IKEv2 connections. |
In the Authentication tab you modify the following fields:
Input box | Description |
---|---|
Authentication type |
Specify the authentication type. Possible values:
|
PSK (preshared key) | For authentication type PSK (preshared key) only – specify the required password here. |
Local certificate | The certificate of the firewall for authentication. This must contain a private key. |
Local identifier |
If this field is empty, PSK authentication automatically uses the outgoing IP address of the firewall, and
certificate authentication automatically uses the distinguished name (DN) of the selected local
certificate.
|
Extended authentication |
Enables the optional use of additional user authentication. Once you have selected a security profile, you
have the following options:
Note:
|
Remote certificate | Only with authentication type "Certificate": Certificate of the remote site. |
Certificate authority | Only with authentication type "Certificate Authority": A CA whose signed certificates can be used for authentication. |
Remote identifier |
If this field is empty, PSK authentication automatically uses the IP address of the remote gateway (if set).
For certificate authentication, the distinguished name (DN) of the selected remote certificate.
|
In the Routing tab you modify the following fields:
Input box | Description |
---|---|
Route-based IPsec | This option allows the precise specification of which traffic should be routed through a tunnel, provided that it has been enabled by the exclusively manual setting of routing rules and routing tables (or their entries). This is particularly useful when local or remote networks used on the connection overlap with other networks defined on the device in an undesired way. With this option enabled, the dialogs for the routing configuration (routing rules and tables) allow the selection of IPsec connections that have route-based IPsec enabled, and makes them available under the items where the source/destination interfaces are set. They are marked with a padlock icon to make it easier to distinguish them from other interfaces. |
MTU | Here you can set the MTU (Maximum Transmission Unit), i.e. the maximum size of an unfragmented data packet. By default, it is 1400. |
In the Traffic Shaping tab you modify the following fields:
Input box | Description |
---|---|
Traffic Group |
Optionally select the name of a traffic group. This applies the rules defined for this group to traffic on
this connection. See also Traffic shaping.
Note: If it is a route-based IPsec tunnel, traffic within a tunnel can be prioritized using a custom
shaping configuration.
|
Outgoing DSCP | From the list, select an optional DSCP value for outbound data traffic. The list contains the designations from the relevant RFCs (e.g. "CS0") and the group (e.g. "Default"). Also, the value is numerically represented in various bases (binary, hexadecimal, and decimal). The list can be searched according to these representations, so that you can quickly find the desired value regardless of your preferred representation. |
The buttons available at the bottom right of the edit box depend on whether you are adding a new VPN IPsec connection or editing an existing connection. For a new network connection, click Create to add the connection to the list of available IPsec network connections, or Cancel to cancel the creation of a new network connection.
If you have made changes, you can use the buttons at the bottom right of the edit window to save them (Save) or discard them (Reset). Otherwise you can close the window (Close).
Click Activate in the toolbar at the top of the desktop to apply your configuration changes.