Defining VPN Tunnel Settings for Policy-Based VPNs

Prerequisites: Defining Security Gateways, Defining Policy-Based VPNs, Defining VPN Topology for Policy-Based VPNs

The Tunnels tab in the in the VPN element editing view allows you to define settings particular to individual tunnels or disable some tunnels altogether. The topology of the VPN (defined on the Overall Topology tab) determines which tunnels are shown on the Tunnels tab.

If an Internal Gateway has a Multi-Link VPN configuration, you can select whether to use tunnels as backups or actively balance traffic between them. Multi-Link is specific to Stonesoft Firewall/VPN, and is not part of the IPsec standard. You may not be able to use Multi-Link with third-party gateways. Satisfactory results can be achieved if the third-party gateway allows ICMP probes, RTT ICMP probes, and supports DPD. You can disable redundant tunnels to the third-party gateway on this Tunnels tab if required.

This is also where you can view the link summary (a summary of addresses and settings that have been configured for individual tunnels), which you may want to check especially when there are complex setups involving external components (such as a VPN hub configuration).

Before modifying a VPN element that is used in active VPNs, we recommend making a backup of the Management Server as instructed in Creating Backups.

To define VPN tunnel settings

1.  Switch to the Tunnels tab in a VPN element in the editing mode (see Modifying an Existing VPN Element for instructions on how to open the VPN in editing mode). The list of tunnels is displayed.

2.  (Optional) If there are tunnels listed that are not needed, right-click the tunnel and select Disable.

3.  If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or export the keys that have been automatically generated for your partner to use.

4.  (Optional) Change the VPN Profile used at the tunnel level to override the profile selected for the VPN element:

5.  (Optional) If you have multiple tunnels (network links) between two Gateways (Multi-Link configuration), you can select the Mode in which End-Point<->End-Point links are used. The Mode that you select for a link overrides the Mode setting in the End-Point properties.

6.  (Optional) Review the IP addresses and settings used in the individual tunnels by right-clicking the tunnels on the End-Point<->End-Point list and selecting View Link Summary. This is especially useful in complex configurations that involve external components to check the IP address details and other settings that must match with the external configuration.

7.  After making all changes, check the Validity column for all tunnels.

8.  Click the Save icon above the tunnel lists.

The VPN is now configured, but to direct outgoing traffic to the VPN and allow incoming traffic from the VPN, you must add VPN Access rules and possibly also NAT rules.

        If you need to add a trusted certificate authority or certificates that are not generated automatically, proceed to Getting Started With VPN Certificates before adding VPN rules.

        Otherwise, continue by Creating Rules for Policy-Based VPNs.