Creating an IPsec tunnel between NG Firewall appliances


This article will guide you through the settings necessary to establish an IPsec tunnel between two NG Firewall deployments.


Configuring the tunnel

To configure the tunnel, go to Apps > IPsec > IPsec Tunnels. Remove any default tunnels that may remain from the initial installation. Click Add to begin creating the tunnel.

In most cases, the default settings are best. 


Description:  This is where you enter a description for the tunnel. It can be anything you like; it is only there to provide you a "friendly name" for the tunnel.

Connection Type: Use Tunnel. 

IKE Version: If you are connecting only one subnet/interface on either side of the tunnel, use IKEv1. IKEv2 is used primarily when adding more than one local and/or remote network.

Connection Mode: 'Always Connected', the default choice, is best for an NGFW-to-NGFW connection.

Interface: Use this to choose which WAN interface you want the tunnel to use. This is useful if you have a lower-priority WAN (such as a backup or metered connection) which you do not want to use the tunnel.
The option 'Active WAN' will connect using any available WAN interface, enabling failover.

External IP: This is the external/public IP address of the NG Firewall. It is only configurable when you have set the Interface to "Custom".

Any Remote Host: When checked, this option enables incoming tunnel connections from any public IP address. If it is enabled, the next option (Remote Host) will not appear.

Remote Host: This is the WAN IP of the other side of the tunnel.

Local & Remote Identifier: Generally, leave these blank: they are only used if either side of the tunnel is behind a NAT.
For example, if the local NG Firewall is downstream of another router or firewall, you will enter that device's external IP into the Local Identifier field.

Full Tunnel Mode Negotiation: Leave unchecked.

Local Source IP Address: Leave unchecked and leave the field below blank.

Local Network: This is the local subnet that you would like to allow access to the tunnel. If the tunnel's IKE Version is set to IKEv2, you can list more than one subnet by separating each with a comma and no spaces.


Remote Source IP Address: Leave blank.

Remote Network: This is the remote subnet that you would like to allow access to the local side of the tunnel. 

Shared Secret: Please use a LONG password here with no special characters. Complexity is not as important as length.

DPD Interval: Dead Peer Detection is the tunnel's way of determining if the other side is up and responding. Default setting is best. 

DPD Timeout: This is how long before the tunnel is restarted if the other side of the tunnel is not responding. Default setting is best. 

Ping Address: Choose the IP of a device on the remote network that is reliable and configured to respond to ICMP requests. This is primarily used to create alerts for tunnel connectivity. 

Phase 1 & Phase 2: These should be left unchanged. 


 Here is an example of an IPsec config between two NG Firewalls:

Was this article helpful?
4 out of 6 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk