Skip to main content

Who can Modify this Feature?

  • Partner
  • Company/Network Admins with write access
  • Meter Support

How to Add an IPsec VPN Tunnel

To add an IPsec VPN tunnel, log into the Dashboard and click Secure Tunnels > IPSec > ‘Add IPSec Tunnel’.
IPSec tunnel configuration interface
You will see a new window on the right-hand side of the screen asking you for the following details:
  • Enable - Ensure this is toggled ON to enable your IPSec tunnel.
  • Name - This is just the display name for the tunnel in the Dashboard. Name it something meaningful to you.
  • Local IP or FQDN - It is recommended to use the Public IP address of the Meter Security Appliance. This can be found under Hardware > Security Appliances.
  • Remote IP or FQDN - It is recommended to use the Public IP address of the remote gateway.
  • Initiator - If enabled the Meter Security Appliance will be the initiator of the IPsec tunnel. If left off the Meter Security Appliance will assume a role automatically.
  • Preshared key - Must match on both ends of the IPSec tunnel.
  • Remote Networks - The subnets on the other end of the IPSec tunnel that should be accessible.
  • Local networks - Select the VLANs you want accessible over the IPSec tunnel.
  • Client VPN Bound - If enabled, users connected to the client VPN will also be able to traverse over the IPsec tunnel.
  • Bound WAN port - Choose the WAN interface you want the IPsec tunnel to operate over by default. Note: The local IP or FQDN should match the configured IP on your selected WAN port.
  • Partner Type (optional) - If connecting to AWS or Azure, select your respective partner type. If multiple tunnels with the same remote subnet to AWS or Azure exist, this setting should be used.
  • IKE Lifetime (optional) - How long the IKE security association (SA) remains valid before needing to be renegotiated (typically 8 hours).
  • Rekeying - If set to YES, the Meter SA will initiate negotiations. If NO, the Meter SA will only respond.
  • Reauthentication - If set to YES, the IKE SA will be torn down and re-established at rekey. If NO, IKE is only rekeyed.
  • Dead Peer Detection (DPD) - Select a dead peer action (if needed) and timers.
    • Clear - Delete IKE SAs
    • Hold - Keep IKE SAs, but pause all traffic
    • Restart - Restarts the IPsec Tunnel
    • DPD Timeout - How often keep alive messages are sent.
    • DPD Delay - How long to wait to perform DPD action if there is no response to keep alives.

Tunnel Types

General IPsec tunnels are policy-based only. The remote end also needs to use a policy-based tunnel to establish. AWS and Azure tunnel types are ‘IPIP’ tunnels that will be able to connect to route-based tunnels to AWS or Azure.
If you have any questions about setting up your IPsec tunnels or need further assistance, feel free to contact Meter Support at support@meter.com or submit a ticket at meter.com/support.
I