{{ secondMenu.name }}
Network Secure supports IPSec VPN connections to third-party devices. IPSec VPN of Network Secure conforms to the international IPSec VPN protocol. Provided that the peer device also adopts the standard IPSec VPN, you can establish a VPN connection between the local device and the peer device.
You can click Add Connection on the IPSec VPN Configuration page to add IPSec VPN connections. The Add Connection dialog box appears, as shown in the following figure.
The parameters are described as follows:
Device Name: Set a name for the tunnel.
Status: Specify whether to enable the VPN connection.
Description (Optional): Enter a description of the tunnel.
Peer IP Address Type: Select Static IP, Dynamic IP, or Dynamic Domain as required. If you select Static IP, enter the IP address of the peer device. If you select Dynamic Domain, enter the WAN domain name of the peer device.
Auth Method: Select Pre-shared key, Certificate based, or SM2 Certificate V1.1 as required.
Shared Key and Confirm Key: Enter the correct pre-shared key. Ensure that both devices use the same pre-shared key.
Local Outbound Interface: Select an outbound interface based on the link status.
Encrypted Traffic: Set parameters for protected data flows and Phase 2 negotiation of IPSec VPN as required.
Click Add in the Encrypted Traffic section. The Add Encrypted Traffic dialog box appears, as shown in the following figure.
The parameters are described as follows:
Local IP Address: Enter a source IP address or IP range to match the protected data flows of IPSec VPN.
Local Intranet Service: Select a source intranet service type to match the protected data flows of IPSec VPN. You can select All Services, All TCP Services, All UDP Services, or All ICMP Services as required.
Peer IP Address: Enter a destination IP address or IP range to match the protected data flows of IPSec VPN.
Peer Intranet Service: Select a destination intranet service type to match the protected data flows of IPSec VPN. You can select All Services, All TCP Services, All UDP Services, or All ICMP Services as required.
Phase 2 Proposal: Set the parameters required for Phase 2 negotiation, including Protocol, Encryption Algorithm, Auth Algorithm, and Perfect Forward Secrecy (PFS). Options for Protocol include AH and ESP. Options for Encryption Algorithm include DES, 3DES, AES, AES192, AES256, SANGFOR_DES, and SM4. Options for Auth Algorithm include MD5, SHA1, SHA2-256, SHA2-384, SHA2-512, and SM3.
Route Priority: Set a priority for local and peer IP addresses to identify the route priority.
Click Advanced to configure IKE and IPSec options, as shown in the following figure.
IKE Options:
IKE Version: Select IKEv1 or IKEv2. The setting must be the same as that of the peer device.
Mode: The connection mode. Options include Main mode and Aggressive. The main mode is applicable when both devices use static IP addresses or one uses a static IP address and the other uses a dynamic domain name. It does not support NAT traversal. The aggressive mode is applicable when one of the devices establishes connections through dial-up, and it supports NAT traversal. Select either mode based on your business requirements.
Initiate Connection: Specify whether the device can actively initiate a VPN connection.
Local ID Type: Select an ID type for the local device to ensure that the peer device can identify the local device. Options include IP Address (ADDR), Domain String (FQDN), and User String (USER_FQDN).
Local ID: Set an ID for the local device based on the selected local ID type.
Peer ID Type: Select an ID type for the peer device to ensure that the local device can identify the peer device. Options include IP Address (ADDR), Domain String (FQDN), and User String (USER_FQDN).
Peer ID: Set an ID for the peer device based on the selected peer ID type.
IKE SA Timeout(secs): Set the Phase 1 lifetime for IPSec negotiation in seconds.
DH Group: Select a DH group type, including DH groups 1, 2, 5, 14, 15, 16, 17, and 18. The setting must be the same as that of the peer device.
DPD: Specify whether to enable the Dead Peer Detection (DPD) feature to detect the life status of the peer device in IPSec.
NAT-T: This feature is available only in aggressive mode. It avoids failure of IPSec negotiation when NAT is enabled on one of the devices. After you enable NAT traversal, data will be encapsulated based on UDP instead of ESP, in case ESP is not allowed on the intranet.
Detection Interval(secs): Set an interval for DPD and NAT-T detection.
Max Attempts: Set the maximum number of DPD and NAT-T detection attempts. If the number of attempts exceeds this value, the local device determines that the peer device fails and disconnects from the peer device.
Phase 1 Proposal: Set the parameters required for Phase 1 negotiation, including Encryption Algorithm and Auth Algorithm. Options for Encryption Algorithm include DES, 3DES, AES, AES192, AES256, SANGFOR_DES, and SM4. Options for Auth Algorithm include MD5, SHA1, SHA2-256, SHA2-384, SHA2-512, and SM3.
After configuring the IKE options, click OK and then click the Others tab to configure the IPSec options.
Others:
Max Attempts: Set the maximum number of attempts for an IPSec VPN connection.
IPSec SA Timeout(secs): Set a timeout interval for IPSec security associations (SAs).
Expiration Time: Specify whether to enable expiration time for IPSec VPN tunnels.
Click OK to save the settings. In the Operation column, you can click Edit to modify the parameters of the VPN connection or click View Encrypted Traffic to view the matching rules for encrypted traffic.
{{ $t('index.defaultHeader.chromeBrowserTip') }}