Gateway peer information
Select a peer from the list to display information about it.
Comments | Description given of the local peer. |
Remote gateway | Object selected to represent the remote IP address during the creation of the peer via the wizard. |
Local address | External interface presented to set up the tunnel with the peer shown. |
IKE profile | This option offers three preconfigured profiles as the protection model associated with Phase 1 of your VPN policy: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles. |
IKE version | This option allows selecting the version of the IKE protocol (IKEv1 or IKEv2) that the peer uses. |
Identification
Authentication method | This field will show the authentication method selected during the creation of your peer via the wizard. You may modify your choice by selecting another method from the drop-down list. NOTE |
Certificate |
If you have chosen certificate-based authentication, this field will display the certificate to display to the peer to set up the IPsec tunnel. The icon indicates certificates with a TPM-protected private key. For more information on the TPM, see the section Trusted Platform Module. If you had opted for the pre-shared key method, this field will not appear. |
Local ID (Optional) | This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Peer ID”, the other endpoint. You are represented by the “Local ID”. This identifier must be in the form of an IP address, a domain name (FQDN: Full Qualified Domain Name) or an e-mail address (user@fqdn). |
Peer ID (Optional) | This field represents an IPsec VPN tunnel endpoint, and shares the “secret” or the PSK with the “Local ID”, the other endpoint. The “Peer ID” represents your peer. The format is the same as the previous field. |
Pre-shared key (ASCII) | In this field your PSK appears in the format you had selected earlier when creating the peer via the wizard: ASCII or hexadecimal characters (the format can be selected in the checkboxes below the field if you wish to change formats). |
Edit | This button makes it possible to directly edit the pre-shared key that was used to set up the IPsec tunnel with this peer. |
Advanced properties
Do not initiate the tunnel (Responder only) | If this option is selected, the IPsec server will be put on standby. It won't initiate tunnel negotiation. This option is used in the case where the peer is a mobile host. |
IKE fragmentation | With this checkbox, IKE fragmentation can be enabled when IKE packets exceed the standard packet size configured on the firewall. |
DPD | This field makes it possible to configure the DPD (Dead Peer Detection) feature on VPNs, which checks whether a peer is still operational. When DPD is enabled on a peer, requests (R U there) are sent to test the availability of the other peer , which will need to acknowledge the requests in order to confirm its availability (R U there ACK). These exchanges are secured via ISAKMP (Internet Security Association and Key Management Protocol) SAs (Security Associations). If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed. IMPORTANT Four choices are available for configuring DPD:
The value delay defines the period after a response is received before the next request is sent. The value retry defines the time to wait for a response before sending the request again. The value maxfail is the number of requests sent without receiving responses before the peer is considered absent. |
DSCP | In this field, you can specify the value of the DSCP field assigned to IKE network packets sent to this peer. Select one of the proposed values or specify a customized DSCP field (integer between 0 and 63 inclusive). |
Encapsulate ESP traffic in UDP | This field appears only when DR mode compatibility is enabled. In this field, ESP traffic encapsulation can be enabled/disabled in UDP for each peer to comply with ANSSI recommendations. |
NOTE
For every field that contains “Gateway” and the icon , you can add an object to the existing database by specifying its name, DNS resolution, IP address and then clicking on Apply.