Defining VPN profiles

VPN Profile elements contain settings related to authentication, integrity checking, and encryption.

The VPN Profile element is the main point of configuration for IKE and IPsec settings. These settings are used or agreed on during IKE SA and IPsec SA negotiations. You can select any combination of settings as long as all gateways and VPN clients involved in the VPN support those settings and are configured to accept them.

The authentication methods for VPN clients are selected separately in the VPN Profile. A certificate-based method is always included in the VPN, but you can optionally add other authentication methods.

If you want to use certificates signed by a particular certificate authority (CA), you must define the CA as an element. By default, all VPN CAs are considered trusted, but you can restrict the trusted CAs for particular VPNs.

Each VPN refers to a VPN Profile. You can use the same VPN Profile in several VPNs if the settings are compatible. You can use the same VPN Profile in both policy-based and route-based VPNs. You can also easily copy the element to create custom versions of the same basic settings. There are predefined VPN Profile elements, which are mostly useful for site-to-site VPNs between firewalls that act as VPN Gateways.

Mobile VPNs usually require a custom profile. However, there is a predefined VPN Profile element that simplifies configuration for VPNs between iOS devices and Forcepoint NGFW VPN gateways. The iOS Suite VPN profile contains only iOS-compatible encryption algorithms and protocols.

Before editing a VPN Profile that is used in active VPNs, we recommend backing up the settings. You can back up the settings by duplicating the element, exporting it, or creating a Management Server backup. After editing a VPN profile that is used in active VPNs, check all VPNs that use the profile for issues that the changes might have caused.