This article collects some common questions regarding IPsec VPN.


Can I use IPsec on a server that uses DHCP to get its external address?

It is recommended use IPsec VPN on NG Firewalls configured with static IPs, as IPsec has no method of updating its tunnels' Listen Address automatically.

If you are not able to configure your NG Firewall with a static public IP address, you will need to reconfigure the tunnel whenever the site's external IP address actually changes. On some ISPs this is rare and servers will often have the same IP for months. On other ISPs IPs change daily.


Does IPsec tunnel traffic go through other NG Firewall applications (Web Filter, Application Control, and so on)?

IPsec VPN > IPsec Options has an option, "Bypass all IPsec traffic". By default, this option is disabled, meaning that any traffic coming to NG Firewall from an IPsec tunnel will be scanned by the applications. Enable this option to prevent IPsec traffic from being scanned.


What's the difference between tunnel and transport mode?

When using "tunnel" mode, you can think of the payload packet as being completely encased in another packet. In addition, IPsec can allow or deny packets access to the tunnel depending on policies. When using "transport" mode, communication is limited between two hosts. Only one IP header is present, with the rest of the packet being encrypted. Unless you have very specific needs, you'll most likely want to use "tunnel" mode.


Can I use dynamic routing over IPsec tunnels?

No. NG Firewall's dynamic routing implementation is basic and, unfortunately, cannot be configured to work across IPsec VPN tunnels. 


I have matching subnets at two sites. How can I set up NAT across the IPsec tunnel?

NG Firewall does not support NAT across VPN tunnels in this way. You will need to ensure that all subnets at both ends of the tunnel are distinct.


Can I enable full-tunnel IPsec tunnels?

No. If you need full-tunnel capability, we recommend using WireGuard VPN or OpenVPN.


Which IPsec ciphers does NG Firewall support?

A full list is available here: Which IPsec ciphers does NG Firewall support?


Can I set L2TP connections to split-tunnel?

No, the L2TP protocol itself is always full-tunnel. If you need split-tunnel VPN connectivity, we recommend using WireGuard VPN or OpenVPN.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk