IPsec VPN tunnels
This module allows you to view tunnels in active IPsec policies on the firewall (tunnels that have been defined using the native IPsec interface or virtual IPsec interfaces).
Possible actions
| Refresh | This button allows data displayed in the table to be refreshed. |
| Configure the IPsec VPN service | This link makes it possible to go directly to the configuration of the IPsec VPN service (Configuration > VPN > IPsec VPN module). |
"Policies" table
Data shown in the “Policies" table is classified by policy type:
- Site-to-site tunnels,
- Mobile tunnels,
- Exception policies (bypass).
The following information is given:
| Type | This is the type of IPsec policy: site-to-site tunnels, mobile tunnels and exception policies (bypass). |
| Status | A green LED with an “OK” caption, or red LED with a “KO” option, indicates the status of the tunnels in the policy concerned. |
| Rule name | Name given to the IPsec rule (rule editing window > General settings > Advanced properties > Name). |
| Source | Name of the object corresponding to the local network |
| Source address | Host network that initiated the traffic going through the selected IPsec tunnel (traffic endpoint). |
| Mask | Network mask associated with the source address. |
| Local gateway | Name of the object corresponding to the local IPsec gateway (local tunnel endpoint). |
| Local gateway IP address | IP address that the local firewall presents to set up the tunnel. |
| Local ID | Local ID (optional) specified when the peer was created. If nothing was specified, this refers to the IP address of the local gateway. |
| Remote gateway | Name of the object corresponding to the remote IPsec gateway (remote tunnel endpoint). |
| Remote gateway IP address | IP address that the remote firewall presents to set up the tunnel with the local firewall. |
| Peer | Name of the peer that was used to set up the tunnel. |
| Peer ID | ID (optional) assigned to the peer. If nothing was specified, this refers to the IP address of the remote gateway. |
| Remote traffic endpoint | Name of the object corresponding to network of the remote host with which traffic is exchanged in the tunnel. |
| Remote address | Network of remote hosts that communicate through the selected tunnel (traffic endpoint). |
| Remote network mask | Network mask associated with the remote address. |
| Policy |
Type of IPsec policy. This field contains two possible values::
|
| Encapsulation | Protocol used to encapsulate data in the tunnel. |
| IKE version | Version (1 or 2) of the IKE protocol that was used to set up the tunnel. |
| Lifetime | Maximum lifetime of the tunnel before keys are renegotiated. |
Right-click menu
Right-clicking on the fields Type, Status, Rule name, Source network mask, Local ID, Peer, Peer ID, Remote network mask, Policy type, Encapsulation, IKE version or Lifetime opens the following right-click menus:
- Go to the logs of this IPsec policy,
- Copy the selected line to the clipboard,
- Go to the configuration of this IPsec policy,
- Go to this peer’s configuration.
Right-clicking on the fields Local gateway, IP address of the local gateway, Remote gateway or IP address of the remote gateway opens the following right-click menus:
- Search for this value in the "All logs" view,
- Show host details,
- Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
- Go to the logs of this IPsec policy,
- Copy the selected line to the clipboard,
- Go to the configuration of this IPsec policy,
- Go to this peer’s configuration.
Right-clicking on the fields Source, Source address, Remote traffic endpoint or Remote address opens the following right-click menus:
- Search for this value in the "All logs" view,
- Show host details,
- Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
- Go to the logs of this IPsec policy,
- Copy the selected line to the clipboard,
- Add the host to the objects base and/or add it to a group,
- Go to the configuration of this IPsec policy,
- Go to this peer’s configuration.
Additional information about a tunnel
Selecting the line of a tunnel displays additional details in the following tables:
- IKE Security Associations (SA),
- IPsec Security Associations (SA).
“IKE Security Associations (SA)” table
| Rule name | Name (optional) given to the IPsec VPN rule that corresponds to the tunnel. Reminder: this name makes it possible to search for events relating to the tunnel in IPsec logs. |
| IKE | Indicates the version of the IKE protocol for the tunnel in question. |
| Local gateway | Name of the object corresponding to the local gateway (local tunnel endpoint). |
| Local gateway address | IP address that the local gateway presents to set up the IPsec tunnel in question. |
| Remote gateway | Name of the object corresponding to the remote gateway (remote tunnel endpoint). |
| Remote gateway address | IP address that the remote gateway presents to set up the IPsec tunnel in question. |
| Status | Indicates the state of the IKE SA, e.g., established. |
| Role | Role of the local gateway in setting up the tunnel (initiator or responder). |
| Initiator cookie | Temporary identity marker of the initiator of the negotiation. Example: "0xae34785945ae3cbf". |
| Receptor cookie | Temporary identity marker of the peer of the negotiation. Example: "0x56201508549a6526". |
| Local ID | Local ID (optional) specified when the peer was created. If nothing was specified, this refers to the IP address of the local gateway. |
| Peer ID | ID (optional) assigned to the peer. If nothing was specified, this refers to the IP address of the remote gateway. |
| NAT-T | Indicates whether NAT-T (NAT Traversal - passing the IPsec protocol through a network that performs dynamic address translation) is enabled for this tunnel. |
| Authentication | Authentication algorithm used for the IKE phase of the tunnel. |
| Encryption | Encryption algorithm used for the IKE phase of the tunnel. |
| PRF | PseudoRandom Function negotiated and used for key derivation. |
| DH | Diffie-Hellman profile used for the tunnel. |
| Lifetime | Lifetime of the IKE SA (Security Association) lapsed for the tunnel in question. |
“IPsec Security Associations (SA)” table
| Status | Indicates the state of the IPsec SA, e.g., installed/rekeying. |
| Local gateway | Name of the object corresponding to the local gateway (local tunnel endpoint). |
| Remote gateway | Name of the object corresponding to the remote gateway (remote tunnel endpoint). |
| Bytes in | Amount of data (in bytes) that passed through the tunnel to the local traffic endpoint. |
| Bytes out | Amount of data (in bytes) that passed through the tunnel to the remote traffic endpoint. |
| Encryption | Encryption algorithm used for the IPsec phase of the tunnel. |
| Authentication | Authentication algorithm used for the IPsec phase of the tunnel. |
| Lifetime lapsed | Lifetime of the IPsec SA lapsed for the tunnel in question. |
| ESN |
Indicates whether the ESN (Extended Sequence Number) option is enabled. This option is only available for IKEv2. |
| UDP encapsulation |
Indicates whether UDP encapsulation of ESP packets is enabled. This encapsulation is automatically forced when DR mode is enabled (Configuration > System > Configuration > General configuration tab > Enable “ANSSI Diffusion Restreinte (DR)” mode).
|
For more details on these commands, refer to the