Creating an IPsec tunnel between NG Firewall appliances

When creating a site-to-site IPsec tunnel between two NG Firewall appliances, it is simplest to leave the custom Phase 1 and Phase 2 configurations set to the default (unchecked & unchanged).

To configure the tunnel, go to APPS > IPsec > IPsec Tunnels. Remove any default tunnels that may remain from the initial installation. Click ADD to begin creating the tunnel.


Description:  This is where you enter a description that best describes the tunnel. It can be anything you like.

Connection Type: Use Tunnel. 

IKE Version: If you are connecting only one subnet/interface on either side of the tunnel, use IKEv1. IKEv2 is used primarily when adding more than one local and/or remote network.

Connection Mode: 'Always Connected', the default choice, is best for an NGFW-to-NGFW connection.

Interface: Use this to choose which WAN interface you want the tunnel to use. The option 'Active WAN' will connect using any available WAN interface.

External IP: This is the WAN IP of the NG Firewall that you would like the tunnel to use. This will be grayed out if you selected a specific WAN interface rather than custom.

Remote Host: This is the WAN IP of the other side of the tunnel.

Local & Remote Identifier: These are only used if either side of the tunnel is behind a NAT.

Local Network: This is the local subnet that you would like to allow access to the tunnel. If the tunnel's IKE Version is set to IKEv2, you can list more than one subnet by separating each with a comma and no spaces.


Remote Network: This is the remote subnet that you would like to allow access to the local side of the tunnel. 

Shared Secret: Please use a LONG password here with no special characters. Complexity is not as important as length.

DPD Interval: Dead Peer Detection is the tunnel's way of determining if the other side is up and responding. Default setting is best. 

DPD Timeout: This is how long before the tunnel is restarted if the other side of the tunnel is not responding. Default setting is best. 

Ping Address: Choose the IP of a device on the remote network that is reliable and configured to respond to ICMP requests. This is primarily used to create alerts for tunnel connectivity. 

Ping Interval: Time between ICMP requests to the above address.

Phase 1 & Phase 2: These should be left unchanged. 


 Here is an example of an IPsec config between two NG Firewalls:



Was this article helpful?
4 out of 6 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk