IPSec Phase 2
**************

Phase 2 entries can be created below the current Phase 1 entry.

**Local Network** is the network or address on the VT AIR that should be accessible from the remote side.

**Remote Network** is the network or address that should be accessible from the VT AIR side on the remote side.

.. image:: img/IPSec-Phase2-Addresses.png
    :width: 100%
    :align: center
    :alt: IPSec Phase 2 Addresses

Each pair of Local <-> Remote Networks needs a Phase 2 entry.
In the background the system will create a mapping between the two in order to send it through the IPSec Tunnel.

**Algorithms** can be a mix of any of the algorithms.
You can add as many combinations as you like.

**Lifetime** must also match the remote sides lifetime.

.. image:: img/IPSec-Phase2-Algorithms.png
    :width: 100%
    :align: center
    :alt: IPSec Phase 2 Algorithms

**Ping Check** enables a ping check agains an IP on the other side of the tunnel.
Make sure that at least one of the ipaddresses of the VT AIR is part of the Phase 2 network definition.

**Ping IP Address** the remote ipaddress to ping (must be in the remote network range)

**Ping Interval** the seconds between checks

**Ping Retries** before the phase 2 is disconnected and reconnected.
If you set this value to 0 no disconnect/reconnect is performed on ping errors.

.. image:: img/IPSec-Phase2-Ping-Check.png
    :width: 100%
    :align: center
    :alt: IPSec Phase 2 Ping Check

.. note::
    If you need to create a custom behaviour on the ping check, a custom script can be added to the location /usr/local/bin/check_ipsec_custom.
    It receives two environment variables, PHASE2 with the phase2 name and RESULT with the ping result. 0 is success and 1 is failure.