IPSec Tunnel

Prepare and configure site-to-site IPSec tunnel details for secure network connectivity to HeartLab.

IPSec Tunnel Setup

Setting up an IPSec tunnel is one method of securely connecting your organisation network to the HeartLab cloud environment.

Your HeartLab Onboarding Manager will advise whether IPSec is the appropriate connectivity method for your environment.

Applies to

Customer network administrators
Firewall administrators
IT teams managing network infrastructure

This configuration must be performed by the parties responsible for managing the organisation’s network infrastructure.

Your Network Details

To establish the IPSec tunnel, HeartLab requires the following information from your network:

Required Information	Description
Public IP address	Public-facing IP address of your router/firewall
Local IPv4 CIDR block	Internal subnet(s) requiring connectivity
Gateway device model	Firewall or VPN appliance model

Please obtain these details from your IT administrator and provide them to HeartLab.

Setting Up the Connection

After receiving your network details, HeartLab will configure its side of the IPSec tunnel and provide the information required for your local IT team to complete setup.

Once received, provide the HeartLab tunnel configuration details to your network administrator.

Tunnel Details

HeartLab will provide site-specific values for:

Tunnel 1 IP
Tunnel 2 IP
Tunnel 1 pre-shared key
Tunnel 2 pre-shared key
Remote subnet details

Base Configuration

Setting	Value
IKE Version	2
VPN Type	Route-based
DPD Timeout	30 seconds

Phase 1 Settings

Setting	Supported Values
Encryption Algorithm	AES128, AES128-GCM-16, AES256, AES256-GCM-16
Integrity Algorithm	SHA1, SHA2-256, SHA2-384, SHA2-512
DH Group Numbers	2, 14–24
Key Lifetime	28,800 seconds

Phase 2 Settings

Setting	Supported Values
Encryption Algorithm	AES128, AES128-GCM-16, AES256, AES256-GCM-16
Integrity Algorithm	SHA1, SHA2-256, SHA2-384, SHA2-512
DH Group Numbers	2, 5, 14–24
Key Lifetime	3,600 seconds

Firewall Rules (Optional)

If your organisation restricts outbound firewall traffic, HeartLab can provide:

Destination IP address and port for outbound DICOM traffic
Source IP address and port for inbound DICOM traffic

These may be whitelisted to restrict communication to only the required traffic.

Restrictive firewall policies may prevent DICOM studies from transferring successfully if the required traffic is not permitted.

Validation

After setup:

Confirm the IPSec tunnels establish successfully.
Verify routing between both environments.
Send a test DICOM study.
Confirm the study appears successfully in HeartLab.

Troubleshooting

Common causes of IPSec tunnel failures include:

Incorrect pre-shared keys
Mismatched encryption proposals
Incorrect subnet definitions
Firewall NAT traversal restrictions
Routing conflicts

If issues persist:

Review IPSec logs on both sides
Confirm Phase 1 and Phase 2 settings match exactly
Contact HeartLab Support with relevant tunnel logs where possible

HL7 Templates

Create and customize HL7 message templates generated by HeartLab for downstream systems.

Kosmos

Connect a Kosmos device to HeartLab via IPSec VPN and DICOM profile configuration.

Manufacturer: HeartLab Limited 305 / 150 Karangahape Road Auckland 1010 New Zealand
UK Responsible Person: Casus UKRP Ltd 107-111 Fleet Street London EC4A 2AB United Kingdom
Australian Sponsor: Emergo Australia Level 20 Tower II Darling Park 201 Sussex Street Sydney NSW 2000 Australia

MD Applies to HeartLab v7.2 and above Effective 0000-00-00 eIFU version 0.0.0 UDI-DI 09421907090023