Site to site (Gateway-Gateway)

This tab will allow a VPN tunnel to be created between two network devices that support IPsec. This procedure is also called: Gateway to Gateway VPN tunnel.

Several tutorials show you step by step how to configure a secure connection between your sites. Click on one of the links to access a tutorial:

Search Searches will be performed on the name of the object and its various properties, unless you have specified in the preferences of the application that you would like to restrict this search to object names only.
Add The Add button will be covered in the following section.
Delete Select the IPsec VPN tunnel to be removed from the table and click on this button.
Move up Places the selected line before the line just above it.
Move down Places the selected line after the line just below it.
Cut Cuts the selected line to paste it.
Copy Copies the selected line to duplicate it.
Paste Duplicates the selected line after it is copied.
Show details To ease the configuration of the tunnel with a remote device (gateway or mobile client), click on this icon to view information on the IPsec policy:
  • Summary: rule type, IKE version, peer, remote gateway, traffic endpoints (local network, remote network).
  • Authentication: Mode/Type (Certificate/Pre-shared key)
  • Encryption profiles (phase 1 & 2): algorithms, Diffie-Hellman group, lifetime

Search in logs When a name is assigned to the IPsec rule, clicking on this button will run a search by the name of the rule in the IPsec VPN log and show the results.
Search in monitoring Clicking on this button will open the screen to monitor IPsec tunnels (Monitoring tab > Monitoring module > IPsec VPN tunnels).

Right-clicking anywhere in the grid will display a pop-up menu offering the following actions:

  • Add,
  • Copy,
  • Cut,
  • Paste,
  • Show details
  • Delete,
  • Search in logs,
  • Search in monitoring.


In order to configure the tunnel, select the VPN policy in which you wish to set it up. The IPsec VPN policy wizard will guide you through the configuration.

Standard site-to-site tunnel

Here, you will define each of the endpoints for your tunnel as well as for your peer.

Local resources Host, host group, network or network group that will be accessible via the IPsec VPN tunnel.
Peer selection This is the object that corresponds to the public IP address of the tunnel endpoint, or of the remote VPN peer. By default the drop-down list shows “None”. You can create peers in the following option or select an existing peer from the list.
Create a peer Define the parameters for your peer. Several steps are necessary:

Step 1: Select the gateway.
  1. Remote gateway: select the object corresponding to the IP address of the tunnel endpoint from the drop-down list.
    You can also add gateways using the button .
  2. Name: you can specify a name for your gateway or keep the peer’s original name, which will be prefixed with “Site_” (“Site_<name of object>“).
    Selecting None as a peer allows generating policies without encryption. The aim is to create an exception to the following rules of the encryption policy. Traffic matching this rule will be managed by the routing policy.
  3. IKE version: select IKEv1 or IKEv2, depending on the version of the IKE protocol that the peer uses.
  4. Click on Next.

Step 2: Identify the peer.
Two choices are possible:
  • Certificate
  • Pre-shared Key (PSK):
  1. Select the desired option.
  2. If you have selected Certificate, you will need to select it from those you have previously created in the Certificates and PKI module.
    The certificate to enter here is the one presented by the firewall and not the one presented by the remote site. A certification authority can also be added.
  3. If you have selected Pre-shared key (PSK), you will need to define the secret that both peers of the IPsec VPN tunnel will share, in the form of a password to be confirmed in a second field.
    You can Enter the key in ASCII characters (every character in ASCII text is stored in a byte whose 8th is 0) by selecting the relevant option.
    Unselect the option to view the key in hexadecimal characters (which is based on 16 digits: the letters A to F and numbers 0 to 9).

To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

  1. Click on Next.
    The screen will show you a window summarizing the configuration that was made, the Parameters of the remote site and the Pre-shared key.
    You can also add a backup peer by clicking on the link provided. You will need to define a remote gateway.
  2. Click on Finish.
Remote networks Host, host group, network or network group accessible through the IPsec tunnel with the peer.

Separator (rule grouping)

This option allows inserting a separator above the selected line. This allows the administrator to create a hierarchy for his tunnels according to his needs.