/
IPsec IKEv1 Tunnel Settings

IPsec IKEv1 Tunnel Settings

Jan 09, 2026

The following IKEv1 IPsec tunnel settings can be configured:

General

Setting

Description

Setting

Description

Name

The tunnel name. You can enter a maximum of 26 characters.

Disabled

To manually disable the tunnel, select this check box.

IPv6

Enable to use IPv6 addresses for the VPN tunnel envelope

Basics

In this tab, you can edit the following Phase 1 and Phase 2 settings.

Setting

Description

Setting

Description

Encryption

The data encryption algorithm.

Hash Meth.

The hash algorithm.

DH-Group

The Diffie-Hellman Group that specifies the type of key exchange. The Barracuda CloudGen Firewall supports Group1 to Group18.

Lifetime [sec]

The re-keying time in seconds that the server offers to the partner.

Min. Lifetime [sec]

The minimum re-keying time in seconds that the server accepts from its partner.

Max. Lifetime [sec]

The maximum re-keying time in seconds that the server accepts from its partner.

Enable Perfect Forward Secrecy

Toggle to enable or disable PFS. The remote gateway mus also support PFS.

SD-WAN - VPN Envelope Policy

Setting

Description

TOS Policy

This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:

  • Copy TOS From Payload to Envelope – Use this option with non-TCP transports. The packet’s original ToS information is copied onto the envelope, so that it stays available for use.

  • Fixed Envelope TOS – The ToS information is masked by enveloping it without consideration. In the Envelope TOS Value field, enter the fixed ToS value. The same ToS information is then assigned to all packets. For example:

DSCP

Precedence

Purpose

0

0

Best effort

8

1

Class 1

16

2

Class 2

24

3

Class 3

32

4

Class 4

40

5

Express forwarding

48

6

Control

56

7

Control

For more information about precedence values, see http://www.bogpeople.com/networking/dscp.shtml and http://www.tucny.com/Home/dscp-tos.

Band Policy

For band policy settings to apply, you must configure traffic shaping. For more information, see Traffic Shaping. Band policy settings work independently from bandwidth protection settings.

The Band Policy settings rely on connection objects that are assigned to bands in the firewall rulesets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface.

You can select one of the following options:

  • Use Band According to Rule Set – Use the band from the firewall rule, allowing traffic between the tunnel endpoints.

  • Copy Band From Payload To Envelope – Use the band from the firewall rule, redirecting traffic to the VPN tunnel entry point. The band setting for the rule that configures traffic between the tunnel endpoints is then ignored.

  • Fixed Envelope Band – Use a static band. From the Envelope Band Value list, select one of the available bands (System, Band A to Band G).

Replay Window
Size

If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings. Set to -1 to disable Replay Protection.

  • To view or edit the global replay window size, see the VPN server settings.

  • To view the replay window size for a tunnel, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replayWindow).

Advanced

Setting

Description

Setting

Description

DPD intervals [s]

Enter the number of seconds between sending IKE notify checks if the peer is still available. Default 5 sec.

Interface Index

By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.

Before using this option, you must first create the indexed VPN interface in the VPN Settings.

VPN Next Hop Routing

Enter the IP address of the remote VPN tunnel interface that is reachable via the vpnr interface using the index entered as the Interface Index.

Phase 2 Lifetime Adjust [s]

This setting ensures that the firewall initiates rekeying. On CloudGen Firewall devices with firmware 8.0.1 or higher, you can leave this field blank.

NAT-T Autodetect

Attempt to detect the UDP NAT-T type supported by the remote VPN gateway.

RAW IPSec

In this section, you can add optional parameters for establishing IPsec tunnels. When appending a parameter, first specify the section that the parameter is assigned to. Then, specify the new parameter itself in the next line. Enter one single value per line. For example:

[Section]
key=value

To set the IPSec ID for Phase 1, use the following format:

[IPSEC-<tunnelname>-ID]
ID-Type= IPV4_ADDR
Address= <IP address>

[IPSEC-<tunnelname>]
ID= IPSEC-<tunnelname>-ID

Example:

[IPSEC-TestTunnel-ID]
ID-Type= IPV4_ADDR
Address= 198.51.100.30

[IPSEC-TestTunnel]
ID= IPSEC-TestTunnel-ID

New sections are added to the end of the isakmpd.conf file. New parameters are added to the top of the specified section. For more information on the syntax to be used in this field, see the isakmpd.conf man page at www.openbsd.org/cgi-bin/man.cgi.

Local Networks

Setting

Description

Setting

Description

Initiates Tunnel

Specifies whether the tunnel is active or passive. You can select one of the following options:

  • Yes (passive IKE)

  • No (active IKE)

Active also implies that incoming VPN connection attempts are accepted.

Local IKE Gateway

The IP address of the local IKE gateway. If you are using dynamic IP addresses, enter 0.0.0.0/0

ID-type

  • IPV4_ADDR (auto) – Automatically chosen IP address.

  • IPV4_ADDR (explicit) – Enter a single IP address.

  • IPV4_ADDR_SUBNET (auto) – Automatically chosen network.

  • IPV4_ADDR_SUBNET (explicit) – Explicit network. E.g., 62.99.0.0/24

Identify

Setting

Description

Setting

Description

Identification Type

  • Shared Secret

  • X509 Certificate (CA signed)

  • X509 Certificate (explicit)

  • Box SCEP Certificate (CA signed)

X509 certificates must have the SubAltName field populated with at least one entry.



Mode

  • Main Mode – By default, the firewall uses main mode. Main mode is considered more secure than aggressive mode.

  • Aggressive Mode – Aggressive mode is required if the remote IP address is unknown and shared key authentication is used.

Remote Networks

Setting

Description

Setting

Description

Remote IKE
Gateway

The IP address of the remote IKE gateway. If the remote IPsec gateway is connected to the Internet with a dynamic IP address, enter the DDNS (Dynamic Domain Name System) hostname of the gateway.

Network Address

To add the network address of the VPN partner, enter it in this field and then click Add.

Peer Identification

Depending on which identification type is selected, different fields are unlocked in the Peer Identification section.  

Setting

Description

Setting

Description

Shared Secret

Enter the shared passphrase used to authenticate. Passphrases using the hash (#) character are not accepted.

CA Root

Select the root certificate used to validate the certificate.

X509 Condition

Enter the certificate key patterns the certificate is required to match when X.509 certificate authentication is used.

Explicit X509

Import an explicit certificate for X.509 certificate authentication.

X509 certificates must have the SubAltName field populated with at least one entry.

Contact Us
Barracuda Campus
Barracuda Support