IPsec Tunnels
Here, you specify which networks and computers should use the VPN tunnels. Several networks can use the same VPN tunnel.
You must enter the tunneled networks here, even if you just configure the firewall for a road warrior. See also Remote side of network.
If you want to use the SIP functions in the firewall through an IPsec connection, you must add a line with Local side address (the one entered as the Local side on the IPsec Peers page) as the Local network for each of the remote networks for this IPsec connection (IPsec peer).
IPsec tunnels
Here, you enter the remote networks which are allowed to use an IPsec connection, and which local networks they can access via the connection.
Peer
Select an IPsec tunnel from the list of defined IPsec Peers.
If you want several networks to share the same IPsec tunnel, you add new rows by clicking the plus sign to the left of the network name.
Local network
Address type
Here, you select if the IPsec tunnel to this peer should be used by the firewall itself, or by a network behind it. Local side address means that the IP address selected under Local side on the IPsec Peers page is the only local address that can be reached through this tunnel. If Network is selected, a network behind the firewall can use the tunnel.
Network
If Network was selected in the previous field, you must also select a network here. Select from the networks defined in the IPsec networks table below.
Remote network
Address type
Here, you select the type of network that is found on the other side of this IPsec tunnel. This is the network that can be reached through the tunnel, and which can reach the Local network.
The following options exist:
Network. Behind the IPsec peer there is a network which is supposed to use the IPsec tunnel. This could be an office network behind a firewall.
For this choice, you must also select a network in the next field.
Network, allow subset. Behind the IPsec peer there is an IPsec client using a dynamic IP address, and the network of this IP address is known to you. Allow subset means that the firewall will accept IPsec negotiations for the entire given network or parts of it.
This is also what to select if you have a NATed IPsec client which is always located on the same IP network.
For this choice, you must also select a network in the next field.
Remote side address. The IPsec peer itself will use the tunnel, but there is no network behind it allowed to access the tunnel. This could be a road warrior which always has a public IP address.
Any private address. The IPsec peer is a NATed road warrior. Note: this option only works when the peer client is NATed, and its IP is a private address (see appendix G, Lists of reserved ports, ICMP types and codes, and Internet protocols). If it is sometimes not NATed, Remove/private address should be used instead. If the NATed address is not in one of the private IP address spans, Network, allow subset should be used.
Remote/private address. The IPsec peer is a road warrior which sometimes has a public IP address and sometimes a NATed private IP address.
Network
If Network or Network, allow subset was selected in the previous field, you must also select a network here. Select from the networks defined in the IPsec networks table below.
IPsec key lifetime
The time interval between IPsec key expirations. This field can be empty. Recommended values are 5 minutes for road warriors and 8 hours for networks with fixed IP addresses. If you have many road warriors (a hundred or more), the key lifetime should be increased. Usually, moderately small values should be used for road warriors, making it easier for the firewall to detect a broken connection.
The time interval must be the same on both computers creating the IPsec tunnel.
Encryption
Select to encrypt or not encrypt the data traffic through the IPsec tunnel. The recommended action is to encrypt the traffic. If you select not to encrypt, the data packets will be converted to the ESP protocol, but will be fully comprehensible for all watchers on the way. The key negotiations are encrypted regardless of what is selected here.
Select AES/3DES to encrypt the data traffic, and NULL for no encryption.
Delete row
If you select this box, the row is deleted when you click on Add new rows or Save.
Add new rows
Enter the number of new groups and rows you want to add to the table, and then click on Add new rows.
IPsec networks
If you selected Network anywhere above, you have to define networks here. These networks are what the firewall negotiations when the IPsec connection is made.
Name
Give the network a name. The name could be anything, like Our office or 10.0.0.0/23. The name is only used internally in the firewall.
DNS name or network address
Enter the DNS name or network address for the network which will use the IPsec tunnel.
Network address
Shows the IP address of the DNS name or network address you entered in the previous field.
Netmask/bits
Netmask/bits is the mask that will be used to specify this network.
Delete row
If you select this box, the row is deleted when you click on Add new rows or Save.
Add new rows
Enter the number of new groups and rows you want to add to the table, and then click on Add new rows.
Save
Saves the IPsec Tunnels configuration to the preliminary configuration.
Undo
Clears and resets all fields in new rows and resets changes in old rows.
Look up all IP addresses again
Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Configuration page.