Prerequisites: Defining Security Gateways, Defining Policy-Based VPNs, Defining VPN Topology for Policy-Based VPNs
The Tunnels tab in the in the VPN element editing view allows you to define settings particular to individual tunnels or disable some tunnels altogether. The topology of the VPN (defined on the Overall Topology tab) determines which tunnels are shown on the Tunnels tab.
If an Internal Gateway has a Multi-Link VPN configuration, you can select whether to use tunnels as backups or actively balance traffic between them. Multi-Link is specific to Stonesoft Firewall/VPN, and is not part of the IPsec standard. You may not be able to use Multi-Link with third-party gateways. Satisfactory results can be achieved if the third-party gateway allows ICMP probes, RTT ICMP probes, and supports DPD. You can disable redundant tunnels to the third-party gateway on this Tunnels tab if required.
This is also where you can view the link summary (a summary of addresses and settings that have been configured for individual tunnels), which you may want to check especially when there are complex setups involving external components (such as a VPN hub configuration).
Before modifying a VPN element that is used in active VPNs, we recommend making a backup of the Management Server as instructed in Creating Backups.
To define VPN tunnel settings
1. Switch to the Tunnels tab in a VPN element in the editing mode (see Modifying an Existing VPN Element for instructions on how to open the VPN in editing mode). The list of tunnels is displayed.
If no tunnels are listed, see Defining VPN Topology for Policy-Based VPNs.
The Gateway<->Gateway list shows connections between pairs of gateways.
The End-Point<->End-Point list shows the individual connections that form the tunnels in the Gateway<->Gateway list. There can be several connections at this level for any Gateway pair if one or both of the Gateways have multiple endpoints (Multi-Link). If both Gateways have only one endpoint, there is only one tunnel also at this level for the Gateway pair.
If you have set up connection forwarding between the Gateways on the Overall Topology tab, the number of generated tunnels is reduced according to the relationships configured and the capabilities of the Gateway that forwards the traffic. The forwarding relationships are shown under Forwarding Gateways.
2. (Optional) If there are tunnels listed that are not needed, right-click the tunnel and select Disable.
Duplicate tunnels are not allowed between VPNs. If some other VPN already defines a tunnel between the same end-points as some tunnel in this VPN, you must disable the duplicate tunnel in one of the VPNs.
3. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or export the keys that have been automatically generated for your partner to use.
To view, change, or export the pre-shared key for a particular tunnel, double-click the key icon in the Key column in the Gateway<->Gateway list.
This pre-shared key is used only with gateway devices. Set pre-shared keys for third-party VPN clients in the User elements (Stonesoft IPsec VPN Clients do not allow pre-shared key authentication).
|
4. (Optional) Change the VPN Profile used at the tunnel level to override the profile selected for the VPN element:
If you change a profile for a tunnel on the Gateway<->Gateway list, both IKE SA and IPsec SA settings are overridden from what is default for the VPN.
If you change a profile for a tunnel on the End-Point<->End-Point list, only the IPsec SA settings are overridden from what is selected for the main tunnel on the Gateway level.
5. (Optional) If you have multiple tunnels (network links) between two Gateways (Multi-Link configuration), you can select the Mode in which End-Point<->End-Point links are used. The Mode that you select for a link overrides the Mode setting in the End-Point properties.
Select a tunnel on the Gateway<->Gateway list.
Right-click the Mode column for a link on the End-Point<->End-Point list and select the mode from the right-click menu.
|
|
The Mode you select directly in the link’s right-click menu is used for all traffic that is directed to the link. You can also define that the link’s Mode is automatically calculated based on the Mode defined for the end-points. In addition, you can define QoS Exceptions to specify that the link’s Mode depends on the QoS class of the traffic that is directed to the link. See Editing VPN Link Modes in Policy-Based VPNs.
6. (Optional) Review the IP addresses and settings used in the individual tunnels by right-clicking the tunnels on the End-Point<->End-Point list and selecting View Link Summary. This is especially useful in complex configurations that involve external components to check the IP address details and other settings that must match with the external configuration.
7. After making all changes, check the Validity column for all tunnels.
If a tunnel has a warning icon in the Validity column, right-click the tunnel and select View Issues. You must resolve all problems indicated in the messages shown.
If all tunnels are shown as valid, the VPN is correctly configured, although the Management Server cannot check all possible problems at this point, so additional issues can be shown at policy installation. Any validation and issues that are shown for external gateways are based only on the definitions that have been entered manually into the related elements.
8. Click the Save icon above the tunnel lists.
The VPN is now configured, but to direct outgoing traffic to the VPN and allow incoming traffic from the VPN, you must add VPN Access rules and possibly also NAT rules.
|