IP Connectivity by using IPsec VPN data

Starting with TKU March 2026, support has been added for discovering relationships based on data for configured Internet Protocol Security VPNs (IPsec VPNs). The IP connectivity feature uses IPsec VPN information to identify IP links between network devices connected through IPsec tunnels.

Supported Discovery versions

All Discovery versions starting with BMC Helix Discovery 25.2 (15.0) are supported.

Supported vendors

IP connectivity based on IPsec VPN information is currently supported only for specific series (ERX/SRX and NetScreen) of Juniper Networks devices and for Palo Alto Networks firewalls scanned through Palo Alto Panorama.

Prerequisites

Before you start discovering IP links between network devices, make sure you have completed the following configurations:

• Valid SNMP credentials are required for Juniper network devices.
• Valid Palo Alto Panorama XML API credentials are required for implicit discovery of firewall devices through Panorama.

What is IPsec?

IPsec is a group of protocols used to secure network connections, mostly for setting up VPNs. It encrypts IP packets and authenticates the source of the packets to ensure secure communication.

How IPsec VPN works

An IPsec VPN is a feature of device software that uses the IPsec protocol to create encrypted tunnels between two or more network devices. For IPsec VPN, the connection establishment process between peers has two stages (phases).

Phase 1

Internet Key Exchange Security Association (IKE SA) involves the following steps:

1. Authenticating peers by using a pre-shared key or certificates.
2. Negotiating encryption algorithms, such as AES or 3DES.
3. Exchanging keys by using the Diffie-Hellman method.
4. Establishing a secure management channel.

Phase 2 

IPsec Security Association (IPsec SA) involves the following steps:

1. Negotiating IPsec parameters, such as ESP/AH, encryption, and hashing.
2. Creating Security Associations (SAs) for actual data traffic.
3. Establishing the encrypted tunnel for user data.

Encrypted IPsec packets travel across one or more networks to their destination by using a transport protocol. IPsec uses the User Datagram Protocol (UDP) as its transport protocol, which helps IPsec packets pass through firewalls.

BMC Helix Discovery relies on data from established IPsec VPN tunnels obtained through SNMP or Panorama API scans to identify the local and remote peers' IP addresses. This information is then further used by the IPsec pattern.

How to enable IP connectivity by using IPsec VPN

To start discovering IP links between network devices by leveraging IPsec VPN, on the appliance, enable the IP Logical Connectivity from the IP Network view, as shown in the following screenshot. For more information, see theofficial BMC Helix Discovery documentation.

Discovery model

The IPsec pattern is triggered by a NetworkDevice from the supported vendors list with a Firewall or Router type. Then, the pattern looks for device-related IPAddress nodes with corresponding hidden IPsec attributes: __ipsec_peer_local_addr and __ipsec_peer_remote_addrs. Based on this data, the pattern searches for remote peer devices and their related IPAddress nodes and creates the IPAddress:Peer:LogicalNetworkLink:Peer:IPAddress relationships that represent IPsec VPN tunnels between devices' edge IP addresses.

In this example, with three devices connected through IPsec VPN site-to-site tunnels, the BMC Discovery model will be as follows:

To display network devices connected through IPsec VPN tunnels, BMC Discovery provides IP Logical connectivity, which shows direct shortcut relationships between the edge IP addresses of IPsec tunnels.