Configuring IPsec interfaces (VTI)
The SMC server automatically displays the IPsec interfaces of your firewall in the Interfaces > IPsec interfaces (VTI) tab in the firewall's settings. You will then be able to configure them from a central point. The firewall must be in at least version 4.2.3.
The IPsec interfaces on firewalls can be used in route-based VPN topologies, and in the configuration of routes and policy-based routing filter rules.
For more information on IPsec interfaces, refer to Creating or modifyinf an IPsec interface (VTI) in the Stormshield Network user configuration manual and in the technical note IPsec virtual interfaces.
IPsec interfaces shown in SMC originate from three different sources and behavior may vary depending on whether the firewall's network configuration is managed by SMC or not:
| The firewall belongs to a route-based VPN topology |
SMC will automatically create the associated IPsec interfaces if SMC manages the firewall's network configuration. The interfaces are classified by VPN topology in the grid. They can neither be modified nor deleted. The See VPN configuration button makes it possible to go to the configuration panel of the VPN topology in question. |
| The IPsec interfaces were created on the firewall |
SMC will retrieve them automatically during the migration from SMC version 3.3 to version 3.4, even if SMC does not manage the firewall's network configuration. If SMC manages the firewall's network configuration, you can force the interfaces to be retrieved at any time, as explained in Configure network interfaces. If they are used in a route-based VPN topology created from SMC, they will be associated with the topology in question in the grid of the IPsec interfaces (VTI) tab. If the network configuration is managed by SMC from version 3.4 onwards, we recommend that you no longer create IPsec interfaces directly on firewalls, as they will be overwritten the next time the configuration is deployed. |
| IPsec interfaces were created manually from SMC |
This can be done only if SMC manages the firewall's network from version 3.4 onwards. |
You can modify or delete IPsec interfaces only for firewalls for which SMC manages the network configuration, and if they do not belong to a route-based VPN topology.
As for IPsec interfaces used in route-based VPN topologies, some changes made in a topology may have an impact on the configuration of IPsec interfaces. In this case, the impact will immediately be replicated on the IPsec interfaces of firewalls for which SMC manages the network configuration.
As for firewalls with network configurations that SMC does not manage, changes made in a topology have the following consequences:
-
If a topology is deleted, the associated IPsec interfaces will not be automatically deleted,
-
If you change the name of a topology or a peer, the comment associated with the IPsec interface and shown in the IPsec interfaces (VTI) tab will not be automatically updated,
-
If you change the VTI network pool of the topology, IP addresses of IPsec interfaces will be modified, and you must replicate the change manually on SNS firewalls.