IPsec VPN tunnels

This module allows you to view tunnels in active IPsec policies on the firewall (tunnels that have been defined using the native IPsec interface or virtual IPsec interfaces).

Possible actions

Refresh This button allows data displayed in the table to be refreshed.
Configure the IPsec VPN service This link makes it possible to go directly to the configuration of the IPsec VPN service (Configuration > VPN > IPsec VPN module).

"Policies" grid

Data shown in the “Policies" table is classified by policy type:

  • Site-to-site tunnels,
  • Mobile tunnels,
  • Exception policies (bypass).

The following information is given:

Type This is the type of IPsec policy: site-to-site tunnels, mobile tunnels and exception policies (bypass).
Status A green LED with an “OK” caption, or red LED with a “KO” option, indicates the status of the tunnels in the policy concerned.
Rule name Name given to the IPsec rule (rule editing window > General settings > Advanced properties > Name).
Source Name of the object corresponding to the local network
Source address Host network that initiated the traffic going through the selected IPsec tunnel (traffic endpoint).
Mask Network mask associated with the source address.
Local gateway Name of the object corresponding to the local IPsec gateway (local tunnel endpoint).
Local gateway IP address IP address that the local firewall presents to set up the tunnel.
Local ID Local ID (optional) specified when the peer was created. If nothing was specified, this refers to the IP address of the local gateway.
Remote gateway Name of the object corresponding to the remote IPsec gateway (remote tunnel endpoint).
Remote gateway IP address IP address that the remote firewall presents to set up the tunnel with the local firewall.
Peer Name of the peer that was used to set up the tunnel.
Peer ID ID (optional) assigned to the peer. If nothing was specified, this refers to the IP address of the remote gateway.
Remote traffic endpoint Name of the object corresponding to network of the remote host with which traffic is exchanged in the tunnel.
Remote address Network of remote hosts that communicate through the selected tunnel (traffic endpoint).
Remote network mask Network mask associated with the remote address.
Policy

Type of IPsec policy. This field contains two possible values::

  • tunnel,
  • pass.
Encapsulation Protocol used to encapsulate data in the tunnel.
IKE version Version (1 or 2) of the IKE protocol that was used to set up the tunnel.
Lifetime Maximum lifetime of the tunnel before keys are renegotiated.
PPK protection

Indicates whether the PPK required option has been selected for this peer.
The possible values shown are:

  • Mandatory (option selected),
  • Not required (option not selected).

Right-click menu

Right-clicking on the fields Type, Status, Rule name, Source network mask, Local ID, Peer, Peer ID, Remote network mask, Policy type, Encapsulation, IKE version or Lifetime opens the following right-click menus:

  • Go to the logs of this IPsec policy,
  • Copy the selected line to the clipboard,
  • Go to the configuration of this IPsec policy,
  • Go to this peer’s configuration.

Right-clicking on the fields Local gateway, IP address of the local gateway, Remote gateway or IP address of the remote gateway opens the following right-click menus:

  • Search for this value in the "All logs" view,
  • Show host details,
  • Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
  • Go to the logs of this IPsec policy,
  • Copy the selected line to the clipboard,
  • Go to the configuration of this IPsec policy,
  • Go to this peer’s configuration.

Right-clicking on the fields Source, Source address, Remote traffic endpoint or Remote address opens the following right-click menus:

  • Search for this value in the "All logs" view,
  • Show host details,
  • Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
  • Go to the logs of this IPsec policy,
  • Copy the selected line to the clipboard,
  • Add the host to the objects base and/or add it to a group,
  • Go to the configuration of this IPsec policy,
  • Go to this peer’s configuration.

Additional information about a tunnel

Selecting the line of a tunnel displays additional details in the following tables:

  • IKE Security Associations (SA),
  • IPsec Security Associations (SA).

“IKE Security Associations (SA)” table

Rule name Name (optional) given to the IPsec VPN rule that corresponds to the tunnel.
Reminder: this name makes it possible to search for events relating to the tunnel in IPsec logs.
IKE Indicates the version of the IKE protocol for the tunnel in question.
Local gateway Name of the object corresponding to the local gateway (local tunnel endpoint).
Local gateway address IP address that the local gateway presents to set up the IPsec tunnel in question.
Remote gateway Name of the object corresponding to the remote gateway (remote tunnel endpoint).
Remote gateway address IP address that the remote gateway presents to set up the IPsec tunnel in question.
Status Indicates the state of the IKE SA, e.g., established.
Role Role of the local gateway in setting up the tunnel (initiator or responder).
Initiator cookie Temporary identity marker of the initiator of the negotiation.
Example: "0xae34785945ae3cbf".
Receiving cookie Temporary identity marker of the peer of the negotiation.
Example: "0x56201508549a6526".
Local ID Local ID (optional) specified when the peer was created. If nothing was specified, this refers to the IP address of the local gateway.
Peer ID ID (optional) assigned to the peer. If nothing was specified, this refers to the IP address of the remote gateway.
NAT-T Indicates whether NAT-T (NAT Traversal - passing the IPsec protocol through a network that performs dynamic address translation) is enabled for this tunnel.
Authentication Authentication algorithm used for the IKE phase of the tunnel.
Encryption Encryption algorithm used for the IKE phase of the tunnel.
PRF PseudoRandom Function negotiated and used for key derivation.
DH Diffie-Hellman profile used for the tunnel.
Lifetime Lifetime of the IKE SA (Security Association) lapsed for the tunnel in question.

“IPsec Security Associations (SA)” grid

Status Indicates the state of the IPsec SA, e.g., installed/rekeying.
Local gateway Name of the object corresponding to the local gateway (local tunnel endpoint).
Remote gateway Name of the object corresponding to the remote gateway (remote tunnel endpoint).
Bytes in Amount of data (in bytes) that passed through the tunnel to the local traffic endpoint.
Bytes out Amount of data (in bytes) that passed through the tunnel to the remote traffic endpoint.
Encryption Encryption algorithm used for the IPsec phase of the tunnel.
Authentication Authentication algorithm used for the IPsec phase of the tunnel.
Lifetime lapsed Lifetime of the IPsec SA lapsed for the tunnel in question.
ESN

Indicates whether the ESN (Extended Sequence Number) option is enabled.

This option is only available for IKEv2.
UDP encapsulation

Indicates whether UDP encapsulation of ESP packets is enabled.

This encapsulation is automatically forced when DR mode is enabled (Configuration > System > Configuration > General configuration tab > Enable “ANSSI Diffusion Restreinte (DR)” mode).
On firewalls that are not configured in DR mode, this option can be enabled with the token natt=<auto|force> in CLI/serverd commands CONFIG.IPSEC.PEER.NEW and CONFIG.IPSEC.PEER.UPDATE.

For more details on these commands, refer to the CLI SERVERD Commands Reference Guide.