7IPsec VPN135Setting up IPsec tunnelsOther sections explore IPsec components in detail. This section provides a summary of theessential steps needed for IPsec setup.It outlines the individual steps in setting up IPsec for the following scenarios:• IPsec LAN to LAN with Pre‐shared Keys• IPsec LAN to LAN with CertificatesNote: VPN tunnels themselves do not require IP rules as explained in IPsec with the SEG onpage 132, IP rules do not need to be defined in the SEG for VPN tunnel establishment. It is thedata passing through a tunnel that requires IP rules which allow it to flow.Common tunnel setup requirementsBefore looking at each of these scenarios separately, it is useful to summarize the commonSEG requirements when setting up any VPN tunnel, regardless of the type.• Define the tunnelFirst, you must define the tunnel itself. The SEG has various tunnel object types which areused to do this, such as an IPsec Tunnel object.• A route must existBefore any traffic can flow into the tunnel, a route must be defined in an SEG routingtable. This route tells the SEG which network can be found at the other end of the tunnelso it knows which traffic to send into the tunnel.In most cases, this route is created automatically when the tunnel is defined and this canbe checked by examining the routing tables.If a route is defined manually, the tunnel is treated exactly like a physical interface in theroute properties, as it is in other aspects of the SEG. In other words, the route is saying tothe SEG that a certain network is found at the other end of the tunnel.• Define an IP rule to allow VPN trafficAn IP rule must be defined that explicitly allows traffic to flow between a network and thetunnel. As with route definitions, the tunnel is treated exactly like a physical interfacewhen defining the IP rule.IP rules are not created automatically after defining the tunnel object and if they do notexist then no traffic can flow through the tunnel and will be dropped instead.The following sections will look at the detailed setup for each of the VPN scenarios listedearlier.Important: The current version of the SEG does not support the use of IPv6 internet addresseswith IPsec. For this reason, the predefined IP address all‐nets should not be used since thisincludes both IPv4 and IPv6 addresses. Instead, use the predefined address all‐nets‐ip4.