Add gateways to an existing VPN

To create connectivity to different gateways, add new gateways to route-based VPN tunnels and policy-based VPNs.

For more details about the product and how to configure features, click Help or press F1.

Steps

Create a gateway element to represent the physical gateway device in VPNs if the element does not exist already.
VPN Gateway elements are automatically created for Forcepoint NGFW in the Firewall/VPN role. The same element can be used in many VPNs.
If the VPN uses certificates for authentication, you might need to create a VPN certificate for the gateway.
The same certificate can be used in many VPNs, providing it fulfills the following criteria:
- The certificate must match the type of certificate selected for the VPN in the VPN Profile.
- The certificate must be issued by a certificate authority that the other Gateways trust.
Add the gateway to a policy-based VPN or to a Route-Based VPN Tunnel element.
- Edit the Policy-Based VPN element and add the gateway on the Site-to-Site VPN tab.
- Edit the Route-Based VPN Tunnel element and select the gateway.
Check and adjust the tunnels between the new gateway and the existing gateways.
Refresh the policies of all NGFW Engines that are involved in the tunnels.

Engine Editor > VPN

Use this branch to view the VPN Gateway elements associated with the NGFW Engine, and the VPNs where the VPN Gateway elements are used. You can optionally add more VPN Gateway elements.

Option	Definition
Add (Optional)	Adds a VPN Gateway element to the NGFW Engine. One VPN Gateway element is automatically created for each NGFW Engine. You can use the same VPN Gateway element in multiple VPNs. You might need to add VPN Gateway elements if you want to use different endpoint IP addresses in different types of VPNs. Click Remove to remove the selected element.
Endpoints
Enabled	When selected, the endpoint IP address is active.
Edit	Opens the Properties dialog box for the endpoint.

Policy-Based VPN editing view

Use this view to create and modify policy-based virtual private networks (VPN).

Option	Definition
Resources	Use this pane to create and add elements to a VPN.
Search	Opens a search field for the selected element list.
Up (Backspace)	Returns to the previous folder.
New	Opens the associated dialog box to create an element.
Tools	New — Creates an element of the specified type. Show Deleted Elements — Shows elements that have been moved to the Trash. Expand All — Expands all levels of the interface tree. Collapse All — Collapses all levels of the interface tree. Refresh View — Updates the interface tree. Sign VPN Client Certificate — Opens the Sign VPN Client Certificate dialog box. Show Certificates — Shows certificates for VPN gateways. Show Sites — Shows sites for VPN gateways. Show Certificate Requests — Shows certificate requests for VPN gateways.

Option	Definition
Editor toolbar
Save	Saves the changes.
Tools menu
Properties	Opens the VPN Properties dialog box.
Sign VPN Client Certificate	Opens the Sign VPN Client Certificate dialog box.
Filter by Gateway	Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab.
Filter by Firewall	Shows only tunnels where the selected firewall is used. Only available on the Tunnels tab.
No Filtering	Disables filtering.

Option	Definition
Site-to-Site VPN tab
Central Gateways list	Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN.
Satellite Gateways list	Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN.

Option	Definition
Mobile VPN tab
Select engines that provide Mobile VPN Access	Specifies the gateways that can be selected for mobile VPN access. None — None of the VPN gateways provide mobile VPN access. Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways list on the Site-to-Site VPN tab provide mobile VPN access. All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access. Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways tree provide mobile VPN access.

Option

Definition

Mobile VPN tab

Select engines that provide Mobile VPN Access

Specifies the gateways that can be selected for mobile VPN access.

None — None of the VPN gateways provide mobile VPN access.
Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways list on the Site-to-Site VPN tab provide mobile VPN access.
All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access.
Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways tree provide mobile VPN access.

Option	Definition
Tunnels tab
Gateway A or Gateway B	VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements. Right-clicking this type of cell opens these menu items: Properties — Opens the element properties. For VPN Gateway elements, this action opens the Engine Editor. Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel. Generate Regular Missing Pre-Shared Key — Generates a pre-shared key for the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view. Monitoring — Opens the Logs view or another Monitoring view according to the option selected from the Monitoring menu. Add Category — Adds a Category to the selected element. Tools Export Elements — Exports the selected element. Generate Certificate — Opens the Generate Certificate dialog box. Export iOS VPN Configuration Profile — Exports a configuration profile for Forcepoint VPN Client for iOS. Save Gateway Contact Information — Saves the contact information for the selected gateway. Lock — Prevents edits until the element is unlocked. Opens the Lock Properties dialog box. References — Shows references to the selected element. Audit History — Opens the Logs view and shows audit log data associated with the selected element.
VPN Profile	To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel. Right-clicking this type of cell opens these menu items: Edit VPN Profile — Opens a menu from which you can select the VPN Profile. Properties — Opens the VPN Profile Properties dialog box. Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Select Profile — Opens the Select Profile dialog box. Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel. Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view. Tools Export Elements — Exports the selected element. References — Shows references to the selected element. Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Key	Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or export the keys that have been automatically generated for your partner to use. To view, change, or export the pre-shared key, double-click . Right-clicking this type of cell opens these menu items: Edit Key — Opens the Pre-Shared Key dialog box. Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel. Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity	Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View issues. You must resolve all problems indicated in the messages shown. Right-clicking this type of cell opens these menu items: Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel. Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Forwarding Gateways	Right-clicking this type of cell opens these menu items: Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel. Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Endpoint A or Endpoint B	Select the endpoint IP addresses. You cannot use the same endpoint in a route-based VPN tunnel and a policy-based VPN tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Right-clicking this type of cell opens these menu items: Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view. Logs by VPN Endpoint — Opens the Logs view and shows log data related to the VPN endpoint.
IPsec Profile	Right-clicking this type of cell opens these menu items: Edit IPsec Profile — Opens the VPN Profile Properties dialog box. Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Select Profile — Opens the Select Profile dialog box. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view. Tools Export Elements — Exports the selected element. References — Shows references to the selected element. Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Mode	Determines how the tunnel is used in a Multi-Link VPN. Right-clicking this type of cell opens these menu items: Edit Mode — Opens the Link Mode Properties dialog box. Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. Standby — The link is used only when all Active or Aggregate mode links are unusable. Active — The link is always used. If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the links’ load. VPN traffic is directed to the link that has the lowest load. Aggregate — The link is always used and each VPN connection is load-balanced in round robin fashion between all the links that are in the Aggregate mode. For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity	Verifies if the tunnel is valid. Right-clicking this type of cell opens these menu items: Disable — Disables the VPN tunnel. Enable — Enables the VPN tunnel. View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view. View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.

Option	Definition
Panes in the Policy-Based VPN editing view
Info pane	Shows information about the selected element.
Issues pane	Shows issues in the VPN configuration, such as incompatible settings.
Link Summary pane	Shows a summary of the policy-based VPN configuration.

Route-Based VPN Tunnel Properties dialog box

Use this dialog box to define the properties of a Route-Based VPN Tunnel.

Option	Definition
Name	The name of the element.
Enabled	When selected, the tunnel is enabled.
Tunnel Type	Specifies the protocol used in the tunnel. GRE — Generic Routing Encapsulation. This tunnel type is compatible with gateways from most vendors. IP-IP — IP in IP. This tunnel type is for use with third-party gateways that only support IP-IP. SIT — Simple Internet Transition. This tunnel type is for use with IPv6 addresses. VPN — This tunnel type negotiates IPsec tunnels in the same way as policy-based VPNs, but traffic is sent into the tunnel based on routing. Note: For the VPN tunnel type, tunnels between all endpoints of both gateways are automatically created.
Encryption (Not when Tunnel Type is VPN)	The encryption mode for the tunnel. Transport Mode — The tunnel uses IPsec in transport mode. Tunnel Mode — The tunnel uses IPsec in tunnel mode. No Encryption — The tunnel is not encrypted. CAUTION: This option defines a tunnel in which traffic is not protected by a VPN. The No Encryption option is recommended only when you create tunnels entirely within protected networks or you are testing and troubleshooting routing and connectivity.
VPN Profile (Optional) (When Tunnel Type is VPN) (When Encryption is Transport Mode)	The VPN Profile element that defines the settings for authentication, integrity checking, and encryption for the tunnel. Note: Settings in the VPN Profile that do not apply to route-based VPN tunnels, such as IPsec Client settings, are ignored. Examples of available profiles: VPN-A Suite — The tunnel uses the VPN-A Suite VPN Profile element. The VPN-A Suite VPN Profile contains the VPN settings specified for the cryptographic suite “VPN-A” in RFC 4308. iOS Suite — The tunnel uses the iOS Suite VPN Profile element. The iOS Suite VPN Profile element contains only iOS-compatible encryption algorithms and protocols. Click Select to select an element. VPN-A Suite is selected by default.
Edit (Optional) (When Tunnel Type is VPN) (When Encryption is Transport Mode)	Allows you to use pre-shared key authentication for the gateways involved in the tunnel. Note: The pre-shared key must be long and random to provide a secure VPN. Change the pre-shared key periodically (for example, monthly). Make sure that it is not possible for outsiders to obtain the key while you transfer it to other devices.
VPN (When Encryption is Tunnel Mode)	The policy-based VPN that provides the encryption for the tunnel. Click Select to select an element, or click New to create an element.

Option	Definition
Local section
Gateway or Firewall	The local gateway for the tunnel. Click Select to select an element.
Endpoint (Not when Tunnel Type is VPN)	Allows you to select the endpoint IP addresses for the tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Note: You cannot use the same endpoint pair in a route-based VPN tunnel and a policy-based VPN tunnel.
Interface	The tunnel interface though which route-based VPN traffic is routed.

Option	Definition
Remote section
Internal (Not when Tunnel Type is VPN) (Not when Encryption is Transport Mode)	When selected, specifies that the remote gateway is an NGFW Engine that is managed by the same Management Server to which you are currently connected.
External (Not when Tunnel Type is VPN) (Not when Encryption is Transport Mode)	When selected, specifies that the remote gateway is a third-party device or an NGFW Engine that is managed by a different Management Server.
IP Address (External only)	The IP address of the remote gateway.
Gateway or Firewall (Internal only)	The remote gateway in the tunnel. Click Select to select an element.
Endpoint (Not when Tunnel Type is VPN)	Allows you to select the endpoint IP addresses for the tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Note: You cannot use the same endpoint pair in a route-based VPN tunnel and a policy-based VPN tunnel.
Interface (VPN Gateway elements only)	The tunnel interface though which route-based VPN traffic is routed.
Tunnels table (When Tunnel Type is VPN)	Endpoint A or Endpoint B — Shows the endpoint IP addresses for the automatically created tunnels between all endpoints of both gateways. IPsec Profile — The VPN Profile element that defines the settings for authentication, integrity checking, and encryption for the tunnel. Mode — Shows the mode that defines how the endpoint is used in a Multi-Link configuration. Validity — Shows whether the tunnel is valid.

Option	Definition
Tunnel Options section
PMTU Discovery (All tunnel types except VPN)	When selected, enables path MTU (PMTU) discovery. Select this option if you use dynamic routing and want to automatically determine the Maximum Transmission Unit (MTU) size on the network path to avoid IP fragmentation.
TTL (Optional) (All tunnel types except VPN)	Specifies the initial time-to-live (TTL) value that is inserted into the encapsulation header of packets that enter the tunnel. This setting is needed when dynamic routing is used. You can usually use the default value. The default TTL value is 64.
MTU (Optional)	Specifies the maximum transmission unit (MTU) value that defines the largest unit of data that can be transmitted without fragmenting a packet. Set the MTU size as large as possible, but not so large that it causes packets to be fragmented. You can usually use the default value.
Tunnel Group (When Tunnel Type is VPN) (When Encryption is Transport Mode)	Select the Tunnel Group to put the tunnel in. You can monitor the status of grouped tunnels in the Home view. By default, new tunnels are included in the Uncategorized group, which is a system Tunnel Group element.
Use GRE Keepalive (When Tunnel Type is GRE and Encryption is No Encryption)	When selected, the NGFW Engine sends keepalive packets at the specified interval to check that the GRE tunnel is still functioning. If no reply is received after the specified number of packets, the GRE tunnel is considered to be down. Period — The interval (in seconds) at which keepalive packets are sent. The default is 10 seconds. A value of 0 means that the NGFW Engine only replies to keepalive packets from other devices, but does not send keepalive packets itself. Retry — The number of packets after which the GRE tunnel is considered to be down if no reply is received. The default is 3 packets. Note: To use GRE keepalive, the router to which the NGFW Engine is connected must support GRE keepalive.
Comment (Optional)	A comment for your own reference.