Site to site (Gateway-Gateway)

This tab will allow a VPN tunnel to be created between two network devices that support IPsec. This procedure is also called: Gateway to Gateway VPN tunnel.

Several tutorials show you step by step how to configure a secure connection between your sites. Click on one of the links to access a tutorial:

The Add button will be covered in the following section.

Search	Searches will be performed on the name of the object and its various properties, unless you have specified in the preferences of the application that you would like to restrict this search to object names only.
Delete	Select the IPsec VPN tunnel to be removed from the table and click on this button.
Move up	Places the selected line before the line just above it.
Move down	Places the selected line after the line just below it.
Cut	Cuts the selected line to paste it.
Copy	Copies the selected line to duplicate it.
Paste	Duplicates the selected line after it is copied.

Add

In order to configure the tunnel, select the VPN policy in which you wish to set it up. The IPsec VPN policy wizard will guide you through the configuration.

Site-to-site tunnel

Here, you will define each of the endpoints for your tunnel as well as for your peer.

Peer selection	This is the object that corresponds to the public IP address of the tunnel endpoint, or of the remote VPN peer. By default the drop-down list shows “None”. You can create peers in the following option or select an existing peer from the list.
Create an IKEv1 peer	Define the parameters for your peer. Several steps are necessary: Selecting the gateway: Remote gateway: select the object corresponding to the IP address of the tunnel endpoint from the drop-down list. You can also add gateways using the button . Name: you can specify a name for your gateway or keep the peer’s original name, which will be prefixed with “Site_” (“Site_<name of object>“). Selecting None as a peer allows generating policies without encryption. The aim is to create an exception to the following rules of the encryption policy. Traffic matching this rule will be managed by the routing policy. Click on Next. Identifying the peer: 2 choices are possible, identification via Certificate or by Pre-shared key (PSK). Select the desired option. If you have selected Certificate, you will need to select it from those you have previously created in the Certificates and PKI module. The certificate to enter here is the one presented by the firewall and not the one presented by the remote site. A certification authority can also be added. If you have selected Pre-shared key (PSK), you will need to define the secret that both peers of the IPsec VPN tunnel will share, in the form of a password to be confirmed in a second field. You can Enter the key in ASCII characters (every character in ASCII text is stored in a byte whose 8^th is 0) by selecting the relevant option. Unselect the option to view the key in hexadecimal characters (which is based on 16 digits: the letters A to F and numbers 0 to 9). NOTE To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management. Click on Next. Finish creating the peer: The screen will show you a window summarizing the configuration that was made, the Parameters of the remote site and the Pre-shared key. You can also add a backup peer by clicking on the link provided. You will need to define a remote gateway. Click on Finish.
Create an IKEv2 peer	The steps are the same as the ones in creating an IKEv1 peer.
Local network	Host, host group, network or network group that will be accessible via the IPsec VPN tunnel.
Remote network	Host, host group, network or network group accessible through the IPsec tunnel with the peer.

Star configuration

This procedure consists of directing several VPN tunnels to a single point. It allows, for example, linking agencies to a central site.

Local network	Select the host, host group, network or network group that will be accessible via the IPsec VPN tunnel, from the drop-down list of objects.
Remote sites	Define the parameters for your remote sites: select your peer from the list of those already created or click on the icon to create a new one and select the remote networks from the objects in the drop-down list. You can Add or Delete peers by clicking on the relevant buttons.
Treat IPsec interfaces as internal interfaces (applies to all tunnels)	If this option is selected, IPsec interfaces will become internal - and therefore protected - interfaces. All networks that are able to go through IPsec tunnels must therefore be legitimized and static routes allowing them to be contacted must be specified. Otherwise, the firewall will reject the IPsec traffic. IMPORTANT When this checkbox is selected, the option will apply to all IPsec tunnels defined on the firewall. If you have selected this option by mistake in the IPsec VPN tunnel installation wizard, it can be disabled by unselecting Treat IPsec interfaces as internal interfaces (applies to all tunnels - remote networks must be explicitly legitimized) found in the Advanced properties panel in the Application protection > Inspection profiles module.
Create policies without encryption (none) for internal networks	This option allows automatically generating policies without encryption (none) dedicated to internal networks (Network_internals to Network_internals). If the policy already exists, a warning message will appear indicating that these policies have already been created.

Click on Finish.

Separator – rule grouping

This option allows inserting a separator above the selected line. This allows the administrator to create a hierarchy for his tunnels according to his needs.

The table

Line	This column indicates the number of the line processed in order of appearance on the screen.
Status	This column shows the status On/ Off of the tunnel. When you create tunnels, they are active by default. Click twice to disable them.
	To ease the configuration of the tunnel with a remote device (gateway or mobile client), click on this icon to view information on the IPsec policy: Tunnel endpoints: local object / remote object Traffic endpoints: local object / destination object Authentication: Mode / Type / Certificate / Pre-shared key Encryption profiles (phase 1 & 2): algorithms, Diffie Hellman group, lifetime This information can be selected, and can therefore be copied.
Local network	Select the host, host group, network or network group that will be accessible via the IPsec VPN tunnel, from the drop-down list of objects.
Peer	Configuration of the peer, which can be viewed in the tab of the same name in the IPsec VPN module.
Remote network	Select from the drop-down list of objects, the host, host group, network or network group accessible through the IPsec tunnel with the peer.
Encryption profile	This option allows selecting the protection model associated with your VPN policy, from 3 preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.
Comments	Description given of the VPN policy.

The additional Keepalive option makes it possible to artificially maintain mounted tunnels. This mechanism sends packets that initialize the tunnel and force it to be maintained. This option is disabled by default to avoid wasting resources, especially in the case of a configuration containing many tunnels set up at the same time without any real need for them.

This option is only valid for site-to-site tunnels. It can be enabled by selecting the value Keepalive in the Columns menu, which appears when you move the mouse over the header of the columns in the table.

Keep alive

To enable this option, assign a value other than 0, corresponding to the interval in seconds, between each UDP packet sent.

Checking the policy in real time

The window for editing IPsec policy rules has a “Check policy” field (located below the table), which warns the administrator whenever there are inconsistencies or errors in the rules created.