Skip to Content

IP Connectivity by using IPsec VPN data

Starting from TKU March 2026, support for discovering relationships based on data for configured IPsec VPN added. The IP connectivity feature based on IPsec VPN information aims to discover IP links between network devices connected through IPsec tunnels.

Supported Discovery versions

All Discovery versions starting  BMC Helix Discovery 25.2 (15.0) are supported.

Supported vendors

Currently, IP connectivity based on IPsec VPN information supported only for specific series (ERX/SRX, NetScreen) of Juniper Networks devices and Palo Alto Networks firewalls (scanned implicitly via Palo Alto Panorama).

Prerequisites

  • Valid SNMP credentials are required to discover IP links between network devices (Juniper).
  • Valid Palo Alto Panorama XML API credentials in cases for implicit discovery of firewall devices via Panorama (Palo Alto).

What is IPsec?

IPsec is a group of protocols for securing connections. It is often used to set up VPN (Virtual Private Network) and it works by encrypting IP packets, along with authenticating the source where the packets come from.

How IPsec VPN works

An IPsec VPN is a feature of device software that uses the IPsec protocol to create encrypted tunnels between two or more network devices. For IPsec VPN the connection establishment process between peers is carried out in two stages (phases):

  • Phase 1 (IKE SA) consist of the following:
  1. Peers authenticate each other (pre-shared key or certificates);
  2. Negotiate encryption algorithms (AES, 3DES, etc.);
  3. Exchange keys using Diffie-Hellman;
  4. Establish a secure management channel;
  • Phase 2 (IPsec SA) consist of the following:
  1. Negotiate IPsec parameters (ESP/AH, encryption, hashing);
  2. Create Security Associations (SAs) for actual data traffic;
  3. Establish the encrypted tunnel for user data;

Encrypted IPsec packets travel across one or more networks to their destination using a transport protocol. IPsec uses UDP as its transport protocol because this allows IPsec packets to get through firewalls.
 

Discovery relies on data for established IPsec VPN tunnels obtained via SNMP or via Panorama API scan in order to determine local and remote peers IP addresses for further use in IPsec pattern. 

How to enable IP connectivity by IPsec VPN

To start discovering IP links between network devices by leveraging IPsec VPN , on the appliance, enable the IP Logical Connectivity from the IP Network view, as shown in the following screenshot. For more information, see the official BMC Helix Discovery documentation.

logical_connectivity_enable.png

Discovery model

The IPsec pattern is triggered by a NetworkDevice from the supported vendors list (see "Supported vendors" section above) having type as "Firewall" or "Router". It then looks for device related IPAddress nodes with corresponding hidden IPsec attributes set (__ipsec_peer_local_addr, __ipsec_peer_remote_addrs). Based on this data pattern search for remote peer devices and its related IPAddress nodes and creates the relationships (IPAddress:Peer:LogicalNetworkLink:Peer:IPAddress) that represent IPsec VPN tunnels between devices edge IP addresses.

In this example, with three devices connected through IPsec VPN site-to-site tunnels, the BMC Discovery model will be as follows:

devices_ipsec_connectivity.png

To display devices connected through IPsec VPN tunnels, BMC Discovery provides the following visualizations:

  • IP Logical connectivity - shows direct shortcut relationships between IPsec tunnels edge IP addresses.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Discovery content reference