The Tunnel Interface is created when a Policy of type Tunnel Interface is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.
|
1
|
Navigate to VPN>Settings>VPN Policies.
|
|
2
|
|
3
|
|
4
|
|
5
|
Configure the IKE (Phase 1) Proposal and IPSec (Phase 2) Proposal options for the tunnel negotiation.
|
|
6
|
Click the Advanced tab to configure the advanced properties for the Tunnel Interface. By default, Enable Keep Alive is enabled. This is to establish the tunnel with remote gateway proactively.
|
|
•
|
Disable IPsec Anti-Replay - Disables anti-replay, which is a form of partial sequence integrity that detects the arrival of duplicate IP datagrams (within a constrained window).
|
|
•
|
Allow Advanced Routing - Adds this Tunnel Interface to the list of interfaces in the Advanced Routing table on the Network > Routing page.
|
Making this an optional setting avoids adding all Tunnel Interfaces to the Advanced Routing table, which helps streamline the routing configuration. See Configuring Advanced Routing for Tunnel Interfaces for information on configuring RIP or OSPF advanced routing for the Tunnel Interface.
|
•
|
Enable Transport Mode - Forces the IPsec negotiation to use Transport mode instead of Tunnel Mode. This has been introduced for compatibility with Nortel. When this option is enabled on the local firewall, it MUST be enabled on the remote firewall as well for the negotiation to succeed.
|
|
•
|
Enable Windows Networking (NetBIOS) Broadcast - Allows access to remote network resources by browsing the Windows® Network Neighborhood.
|
|
•
|
Enable Multicast - Allows multicast traffic through the VPN tunnel.
|
|
•
|
Permit Acceleration - Enables redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance
|
|
•
|
Management via this SA - Allows remote users to log in to manage the firewall through the VPN tunnel. Select one or more: HTTPS, SSH, SNMP.
|
|
•
|
|
•
|
VPN Policy bound to - Sets the interface the Tunnel Interface is bound to. This is Interface X1 by default.
|
|
8
|
|
•
|
The Do not send trigger packet during IKE SA negotiation checkbox is not selected by default and should be selected only when required for interoperability if the peer cannot handle trigger packets.
|
The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers.
|
•
|
Accept Hash & URL Certificate Type – The firewall sends an HTTP_CERT_LOOKUP_SUPPORTED message to the peer device. If the peer device replies by sending a “Hash and URL of X.509c” certificate, the firewall can authenticate and establish a tunnel between the two devices.
|
|
•
|
Send Hash & URL Certificate Type – The firewall, on receiving an HTTP_CERT_LOOKUP_SUPPORTED message, sends a "Hash and URL of X.509c” certificate to the requestor.
|
|
9
|
Click OK.
|
After you have successfully added a Tunnel Interface, you may then create a Static Route.
|
1
|
Navigate to Network>Routing>Route Policies.
|
|
2
|
|
3
|
Select a tunnel interface from the Interface drop-down menu, which lists all available tunnel interfaces.
|
|
NOTE: If the Auto-add Access Rule option is selected, firewall rules are automatically added and traffic is allowed between the configured networks using tunnel interface.
|
|
5
|
Click OK.
|
