Nexapp - IPsec Tunnels

IPsec Tunnels

IPsec tunnels provide a secure, encrypted channel over the Internet (or any untrusted network). They protect data in transit by ensuring confidentiality, integrity, and authentication.

IPsec (Internet Protocol Security) is the de-facto standard for site-to-site VPNs and is supported by virtually all firewall and router vendors. NexappOS can use IPsec to build tunnels:

  • between two NexappOS firewalls, or
  • between NexappOS and third-party devices.

NexappOS uses route-based VPNs by default, meaning each tunnel creates and relies on a dedicated TUN interface for routing traffic.

Configuration Concepts

An IPsec tunnel always has two peers, referred to here as Peer A and Peer B.
These peers can be:

  • 1 NexappOS firewall + 1 third-party firewall/router
  • 2 NexappOS firewalls

Each device must be configured with a mix of:

1) Mirrored (network-dependent) parameters

These must match across peers in a mirrored way:

  • WAN interface used by the tunnel
  • Local and remote networks to be connected
  • Local and remote identifiers (usually public WAN IPs)

So, for example:

  • WAN IP of Peer A = Remote IP configured on Peer B
  • Local network on Peer A = Remote network on Peer B
  • Local ID on Peer A = Remote ID on Peer B

2) Identical (crypto / policy) parameters

Everything related to encryption must be exactly the same on both sides:

  • Pre-Shared Key (PSK)
  • IKE settings
  • ESP settings
  • cryptographic algorithms, lifetimes, etc.

NexappOS uses a shared key (PSK) as the encryption/authentication method.

Create a New IPsec Tunnel

  1. Go to VPN → IPsec Tunnels
  2. Click Add IPsec tunnel
  3. Enter a Tunnel name
  4. Complete the configuration wizard (3 steps):
    • Step 1: Network parameters
      (WAN interface, local/remote networks, IDs)
    • Step 2–3: Security parameters
      (PSK, IKE/ESP profiles, algorithms, lifetimes)

After saving, the new tunnel appears in the IPsec list.

NAT Note (Important)

If one endpoint is behind NAT, use custom unique identifiers instead of public IPs.

Recommended format: email-like IDs, for example:

  • Peer A Local ID: nsec@site-a
  • Peer B Local ID: otherdevice@site-b

This avoids identity conflicts during negotiation.

Multiple Networks per Tunnel

One IPsec tunnel can carry multiple networks on each side.

  • NexappOS creates multiple Child SAs automatically for compatibility.
  • Behavior is the same under IKEv1 or IKEv2.

IPsec in a FlowEdge MultiWAN Scenario

When multiple WANs exist, each IPsec tunnel must always exit via its assigned WAN.

To enforce this, create a static route for the remote peer IP so it uses the correct WAN gateway.

Example:

  • Tunnel bound to WAN1
  • Remote peer public IP: 11.22.33.44

Create a static route so traffic to 11.22.33.44 goes out through the WAN1 gateway.
Without this, negotiation may fail or flap when WAN priorities change.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on