|Line||This column indicates the number of the line processed in order of appearance on the screen.|
|Status||This column shows the status / of the tunnel.
When a tunnel is created, it is enabled by default. Click twice to disable it.
|Name||A name can be given to this IPsec rule so that it will be easier to look for events that involve this rule in logs.|
|Local network||Select the host, host group, address range, network or network group that will be accessible via the IPsec VPN tunnel, from the drop-down list of objects.|
|Peer||Configuration of the peer, which can be viewed in the tab of the same name in the IPsec VPN module.|
|Remote network||Select from the drop-down list of objects, the host, host group, address range, network or network group accessible through the IPsec tunnel with the peer.
|Domain name||This option makes it possible to specify the domain (LDAP directory) on which the mobile peer must be authenticated. The same user can therefore simultaneously set up several IPsec VPN tunnels and access separate resources by authenticating on several directories.|
|Group||This option makes it possible to specify the user’s group on the authentication domain.
The same user can therefore simultaneously set up several IPsec VPN tunnels by authenticating on one or several directories, and accessing separate resources by obtaining the specific privileges for the group in question.
The Domain name must be specified for this option.
This option makes it possible to restrict the setup of IPsec tunnels to traffic based on specific protocols:
|Encryption profile||This option makes it possible to select the protection model associated with your VPN policy, from three preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.|
|Config mode||This column makes it possible to enable “Config mode”, which is disabled by default. This allows the traffic endpoint IP address to be distributed to the peer.
The Edit Config mode button allows you to enter the parameters of the IPsec Config mode:
|Comments||Description given of the VPN policy.|
The additional Keepalive option makes it possible to artificially maintain mounted tunnels. This mechanism sends packets that initialize the tunnel and force it to be maintained. This option is disabled by default to avoid wasting resources, especially in the case of a configuration containing many tunnels set up at the same time without any real need for them.
You can only use and create a single mobile (roadwarrior) configuration per IPsec profile. Peers can be applied to all profiles. As a result, only one authentication type can be used at a time for the mobile configuration.
Checking the policy in real time
The window for editing IPsec policy rules has a “Check policy” field (located below the table), which warns the administrator whenever there are inconsistencies or errors in the rules created.