General Information on Tunnels

A Tunnel is a mechanism provided by the Firewall that allows secure communications between secure networks over an nonsecure intervening network like the Internet. It constructs a virtual private network (VPN) between two different sites providing authentication and encryption. When you create a tunnel, a complete IP packet, including its header information, is encapsulated in a new IP packet only seen by the source and destination hosts. The original IP packet is protected during the transmission between hosts, according to user specified policy.

Further Information

Creating a Virtual Private Network
Example of Virtual Private Networks

Tunnel Type

Choose which type of tunnel:

Tunnel ID (Tunnel Panel)

In the tunnel ID field, enter the tunnel identification number for the tunnel. Valid values are from 1 through 999999.

Local Address

In the local address field, enter the IP address of the local Firewall non-secure interface to be used by the tunnel. You may choose to press the "Select" button and select a Network Object that has already been defined.

Select

Press the "Select..." button to access a list of defined objects that are valid for this function.

Target Address

In the target address field, enter the IP address of the partner Firewall non-secure interface to be used by the tunnel. You may choose to press the "Select" button and select a Network Object that has already been defined.

Target SPI

For a manual tunnel, specifies the security parameter index (SPI) value the tunnel partner will use. It is usually decided by the tunnel partner. All SPIs are 32 bit random numbers. They can be entered in either decimal or hex format.

Note that the SPI value 0 is reserved to indicate that no security association exists. The set of SPI values in the range of 1 through 255 are reserved to the Internet Assigned Numbers Authority (IANA) for future use.

Note also that if you are going to have more than one active tunnel to the same target, you will need a different target SPI for each active tunnel.


Firewall SPI

Firewall Security Parameter Index is assigned by the firewall when you add a manual tunnel or use dynamic tunneling for the secure remote client. You cannot set or change this value.

Policy

Tunnels rely on symmetric-key cryptography to enforce data security. This means that the firewalls at each end of the tunnel have a shared secret in the form of an encryption key known to both of them. Using this key, the secure IP tunnel provides two different types of security:

Depending upon your security requirements for this tunnel, choose from among the following policies:


Encryption Algorithm

If the "Policy" field of this tunnel uses one of the encryption options, the "Encryption Algorithm" field specifies which type of encryption to use. Three choices are available:

Sess. Key Lifetime

In the session key lifetime field, enter the time in minutes. The current session key can be used. For IBM tunnels, the value that you specify will affect performance (the smaller the value, bigger the performance hit).This value should be smaller when CDMF is used as the encryption algorithm. For manual tunnels, this time indicates the period of operability of the tunnels. To restart the tunnel after this elapsed time, cancel and then activate.

Sess. Key Refresh Time

This field is only valid for IBM tunnels. In the session key refresh time field, enter the time in minutes. This determines the amount of overlap time between a new key start and an old key expiration. The value that you specify will affect performance (the smaller the value, bigger the performance hit). A recommended value would be 480 minutes (8 hours).

Initiator

The initiator field identifies which partner starts the session negotiations. If both partners are identified as the initiator, the tunnel logic will resolve the deadlock. You must set at least one of the partners as the initiator. Choose "yes" or "no".

OK

Press the "OK" button to save changes and close the window.

Cancel

Press the "Cancel" button to close the window without saving any changes.