VPN configuration overview

Many steps might be required to configure a VPN, depending on the complexity of the configuration.

Devices that provide VPN access to other computers are called VPN gateways. There are two general types of VPN gateways in the Forcepoint NGFW Firewall/VPN:
  • VPN Gateway elements represent NGFW Engines that are managed by the Management Server (and administrative Domain) you are currently connected to with your Management Client.
  • All other gateway devices are represented by External VPN Gateway elements. Forcepoint NGFW Engines that are managed by a different Management Server (or administrative Domain) are also External VPN Gateways.

Due to the various authentication and encryption methods that are supported in VPNs, there are many settings in policy-based VPNs. To prevent repeated configuration work, reusable profiles are used for storing different types of settings. These profiles and other elements related to the configuration of policy-based VPNs are shown in the following illustration, excluding the elements that are related to managing certificates.

Figure: Elements in the VPN configuration (excluding certificate-related elements)



1
The VPN Gateway element represents a Firewall/VPN device in VPNs. One VPN Gateway element is automatically created for each NGFW Engine in the Firewall/VPN role. You can optionally add more VPN Gateways to the NGFW Engine. Each VPN Gateway element can be used in several VPNs. The Gateway element refers to the following other elements:
  • The NGFW Engine element contains the VPN settings for the VPN Gateway. The NGFW Engine element refers to a Gateway Settings element that defines settings for advanced VPN performance tuning. The default settings are usually recommended.
  • Gateway Profile elements contain information about the capabilities of different gateways, so that the system can disable unsupported options and find incompatible combinations of settings automatically. Gateway Profiles can be created and selected for External VPN Gateways. The Gateway Profiles of VPN Gateways are selected based on the installed software version.
  • Site elements define real or translated IP addresses that are routable through the policy-based VPNs. The system can add the IP addresses automatically from routing or you can adjust the sites yourself.
2
The Policy-Based VPN element combines other elements together to define the settings used in one particular policy-based VPN and defines the topology for the VPN.
Route-Based VPN Tunnel elements define endpoints for tunnels in route-based VPNs.
The VPN elements refer to a VPN Profile, which contains the IPsec authentication and encryption settings (IKE settings) for establishing a VPN.
3
The Firewall Policy controls policy-based VPN traffic in the same way as any other traffic.
  • The Access rules determine which connections are directed out through each VPN and which traffic is allowed in from each VPN.
  • The NAT rules define how address translation is done for VPN connections. The VPN communications between the gateway devices are always subject to NAT as usual. The traffic that uses the tunnels is subject to NAT only if address translation is enabled for the policy-based VPN.

The same elements used in the configuration of policy-based VPNs can also be used when configuring route-based VPNs.