Set Up an IPSec Tunnel (Tunnel Mode)

Set up an IPSec tunnel for authentication and encryption of data. Define proxy IDs for policy-based VPN peers and ensure successful IKE and IPSec negotiations.

The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses the tunnel.

IPSec tunnel mode is the default mode. IPSec tunnel mode creates a secure connection between two endpoints by encapsulating packets in an additional IP header. This means, in tunnel mode, the IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer). Hence, tunnel mode provides better security by encrypting the entire original packet. Tunnel mode is commonly used for site-to-site communications.

If you’re setting up the firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses, and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode or IKE phase 2 negotiation, and are exchanged as proxy IDs in the first or the second message of the process. So, if you’re configuring the firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the proxy ID so that the setting on both peers is identical. If the proxy ID isn’t configured, because the firewall supports route-based VPN, the default values used as proxy ID are source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application: any; and when these values are exchanged with the peer, it results in a failure to set up the VPN connection.

The IKE Phase 2 (IPSec) negotiation will be successful only when both VPN peers exchange compatible IPSec parameters.