The table

Line This column indicates the number of the line processed in order of appearance on the screen.
Status This column shows the status / of the tunnel.
When a tunnel is created, it is enabled by default. Click twice to disable it.
Name A name can be given to this IPsec rule so that it will be easier to look for events that involve this rule in logs.  
Local network Select the host, host group, address range, network or network group that will be accessible via the IPsec VPN tunnel, from the drop-down list of objects.
Peer Configuration of the peer, which can be viewed in the tab of the same name in the IPsec VPN module.
Remote network Select from the drop-down list of objects, the host, host group, address range, network or network group accessible through the IPsec tunnel with the peer.

When creating a new mobile IPsec VPN policy via the wizard, you will be asked to enter details about the local network, and not the remote network, since the IP address is unknown. The object “Any” will therefore be selected by default.

Domain name This option makes it possible to specify the domain (LDAP directory) on which the mobile peer must be authenticated. The same user can therefore simultaneously set up several IPsec VPN tunnels and access separate resources by authenticating on several directories.  
Group This option makes it possible to specify the user’s group on the authentication domain.
The same user can therefore simultaneously set up several IPsec VPN tunnels by authenticating on one or several directories, and accessing separate resources by obtaining the specific privileges for the group in question.
The Domain name must be specified for this option.

This option makes it possible to restrict the setup of IPsec tunnels to traffic based on specific protocols:

  • TCP
  • UDP
  • ICMP
  • GRE
  • All
Encryption profile This option makes it possible to select the protection model associated with your VPN policy, from three preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.
Config mode This column makes it possible to enable “Config mode”, which is disabled by default. This allows the traffic endpoint IP address to be distributed to the peer.
  1. If you choose to enable this mode, you will need to select an object other than “Any” as the remote network.
  2. With config mode, only one policy can be applied per profile.

The Edit Config mode button allows you to enter the parameters of the IPsec Config mode:
  • DNS server used: this field determines the host (DNS server) that will be used by mobile clients, for DNS resolutions. You can select it or create it in the object database. This field is empty by default.
  • Domains used in Config mode: the client will use the DNS server selected earlier, only for domains specified in this table. For other domains, the client will continue to use its DNS server(s). Therefore generally internal domain names are involved.

In the case of the domain "", if an iPhone attempts to connect to "" or "" it will use the DNS server specified above. However, if it attempts to contact "", it will continue to use its older DNS servers.

Comments Description given of the VPN policy.
Keep alive

The additional Keepalive option makes it possible to artificially maintain mounted tunnels. This mechanism sends packets that initialize the tunnel and force it to be maintained. This option is disabled by default to avoid wasting resources, especially in the case of a configuration containing many tunnels set up at the same time without any real need for them.

To enable this option, assign a value other than 0, corresponding to the interval in seconds, between each UDP packet sent.


You can only use and create a single mobile (roadwarrior) configuration per IPsec profile. Peers can be applied to all profiles. As a result, only one authentication type can be used at a time for the mobile configuration.

Checking the policy in real time

The window for editing IPsec policy rules has a “Check policy” field (located below the table), which warns the administrator whenever there are inconsistencies or errors in the rules created.