Properties

Name

Specifies a symbolic name for the interface. (Identifier)

LocalNetwork

The network on local side of the IPsec tunnel. The IPsec tunnel will be established between this network and the remote network.

RemoteNetwork

The network connected to the remote gateway. The IPsec tunnel will be established between the local network and this network.

RemoteEndpoint

Specifies the IP address of the remote endpoint. This is the address the firewall will establish the IPsec tunnel to. It also dictates from where inbound IPsec tunnels are allowed. (Optional)

ConfigMode

Use config mode to assign unique IP addresses to connecting roaming clients or act as a client. (Default: Off)

IKEConfigModePool

(Optional) Pool of IPs that are handed out to connecting roaming clients. (Optional)

IP

Netobject that will be assigned an IP when the tunnel is established. Can be used to NAT traffic into the interface. (Optional)

DNS

Netobject that will be assigned an IP of DNS when the tunnel is established. (Set only if a DNS is assigned by the remote endpoint.). (Optional)

IKEAlgorithms

Specifies the IKE Proposal list used with the tunnel. (Default: High)

IPsecAlgorithms

Specifies the IPsec Proposal list used with the tunnel. (Default: High)

IKELifeTimeSeconds

The lifetime of the IKE connection in seconds. Whenever it expires, a new phase-1 exchange will be performed. (Default: 28800)

IPsecLifeTimeSeconds

The lifetime of the IPsec connection in seconds. Whenever it's exceeded, a re-key will be initiated, providing new IPsec encryption and authentication session keys. (Default: 3600)

IPsecLifeTimeKilobytes

The lifetime of the IPsec connection in kilobytes. (Default: 0)

EncapsulationMode

Transport mode is only used for L2TP/IPsec. (Default: Tunnel)

AuthMethod

Certificate or Pre-shared key. (Default: PSK)

PSK

Selects the Pre-shared key to use with this IPsec Tunnel.

LocalID

Specifies the local identity of the tunnel. (Optional)

RemoteID

Identities authorized to setup a tunnel. If not set, all authenticated peers will be authorized. (Optional)

EnforceLocalID

Enable if local identity must match any identity proposed by the IKE peer to match this tunnel. (Default: No)

GatewayCertificate

Selects the certificate the firewall uses to authenticate itself to the other IPsec peer.

RootCertificates

Selects one or more root certificates to use with this IPsec Tunnel.

XAuth

Required for inbound or Pass to peer gateway. (Default: Off)

XAuthUsername

Specifies the username to pass to the remote gateway vie IKE XAuth.

XAuthPassword

Specifies the password to pass to the remote gateway vie IKE XAuth.

AddRouteToRemoteNet

Dynamically add a route to the remote network when the tunnel is established. The route is automatically deleted when the tunnel is torn down. Useful when serving roaming clients. (Default: No)

PlaintextMTU

Specify the size at which to fragment plaintext packets sent into the tunnel (rather than fragmenting IPsec). Does not affect decrypted packets arriving from the tunnel. (Default: 1420)

OriginatorIPType

Automatically pick the address of a local interface that corresponds to the local net. (Default: LocalInterface)

OriginatorIP

Specifies the originator IP.

OriginatorHAIP

Specifies private originator IP for HA. (Optional)

TunnelMonitor

Monitor a host inside the tunnel and renegotiate the tunnel if the host stops answering on ICMP pings. (Default: No)

MonitoredIP

IP address of the host beeing monitored with ICMP pings. Source address will be the IP Address configured above.

MaxLoss

Specifies how many consecutive ICMP pings must be lost before the tunnel is renegotiated. (Default: 10)

IKEMode

(IKEv1 only) Specifies which IKE mode to use, main or aggressive. (Default: Main)

IKEVersion

Specifies the IKE version to use for the tunnel. (Default: 2)

DHGroup

Specifies the Diffie-Hellman group to use when doing key exchanges in IKE. (Default: 20,19,16,15)

PFSDHGroup

Specifies which Diffie-Hellman group to use with PFS. (Default: 20,19,16,15)

SetupSAPer

Setup security association per network, host or port. (Default: Net)

DeadPeerDetection

IKE messages will be sent to verify the liveliness of the remote peer if no ESP packets has been received from the remote endpoint the last 30s. (Default: Yes)

DeadPeerDetectionInterval

Specifies how many seconds that must have passed before the gateway sends DPD messages to the peer. (Default: 30)

NATTraversal

Enable or disable NAT traversal. (Default: OnIfNeeded)

AutoEstablish

Always keep this tunnel open regardless of any packets being sent through the tunnel. (Only applicable for lan-to-lan tunnels.). (Default: No)

Metric

Specifies the metric for the auto-created route. (Default: 90)

AutoInterfaceNetworkRoute

Statically add a route for the remote network. The route exists regardless of the tunnel state. Useful for automatically negotiate LAN to LAN tunnels for outbound traffic. (Default: Yes)

IKEIPsecPerIKELimit

Specifies the maximum number of IPsec SAs one IKE SA is allowed to create as responder. The limit is not enforced when a new IPsec SA is initiated by the firewall itself. (Default: 0)

IKEMaxIPsecPerIKELimitViolations

Specifies how many times the IPsec per IKE SA limit can be exceeded before action is taken and the IKE is removed. (Default: 0)

IKEDSField

Specifies the value of the Differentiated Services Field of the IP header in IKE packets. (Default: 0)

IPsecDSField

Specifies the value of the Differentiated Services Field of the outer IP header of IPsec packets in tunnel mode. If unspecified, the value of the inner IP header will be used instead. (Optional)

LocalEndpoint

(Optional) Specifies on which local IP address this tunnel should accept incoming IKE/IPsec traffic on and/or used as the sender in a Tunnel negotiation (even if the IP is either ARP published or Core routed). (Optional)

IncomingInterfaceFilter

(Optional) Interface filter for incoming IKE/ESP packets. Used in virtual routing scenarios to seperate tunnels that listen on the same IP but in different routing tables. (Default: any)

OutgoingRoutingTable

(Optional) Routing table used when sending IKE/ESP packets to the remote endpoint. Used in virtual routing scenarios. (Default: main)

RequestEAPID

Send an EAP identity request to client. This allows the client to use different identities for the IKE and EAP negotiation. (Default: Yes)

EAP

Use EAP to authenticate either the firewall itself or the connecting peer. (Default: Off)

EAPUsername

Specifies the username to pass to the remote gateway via EAP.

EAPPassword

Specifies the password to pass to the remote gateway via EAP.

SNMPIndex

Interface index assigned by the system when persistent interface indexes are enabled. (Default: 0)

Attribute

Special Attribute of the current object. (Optional)

MemberOfRoutingTable

All or Specific. (Default: All)

RoutingTable

Specifies the PBR table to insert the interface IP route into. It also means that the specified routing table will be used for all routing lookups, unless overridden by a PBR rule. (Default: main)

Zone

(Optional) Specifies the Zone that this interface is a member of. (Optional)

ProxyARPAllInterfaces

Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No)

ProxyARPInterfaces

Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional)

Comments

Text describing the current object. (Optional)