Default elements for policy-based VPNs

There are several default elements for policy-based VPN configuration.

Table 1. Default elements for policy-based VPN configuration
Element type Default elements
Certificates The Internal RSA CA for Gateways VPN Certificate Authority element represents the Management Server’s internal RSA certificate authority. You can use the element to define certificate trust relationships if you configure other CAs in the SMC.
Connection Types The default Connection Type elements represent the Active, Aggregate, and Standby modes for endpoints in a Multi-Link configuration.
Gateways The predefined VPN Client gateway element that represents VPN clients, including the Stonesoft VPN Client and third-party VPN clients. You can change the Gateway Profile associated with this default element.
Gateway Profiles Several different Gateway Profiles are included for different Firewall/VPN and Stonesoft VPN Client versions. With third-party VPN devices, you can use the Default (All Capabilities) profile, which enables all options. You can also create a more restrictive profile yourself for better automatic configuration validation.
Gateway Settings Gateway Default Settings is a predefined Gateway Settings element that contains the default recommended settings for most environments.

Each firewall has settings that are common to all VPNs the firewall establishes, set in the Gateway Settings element. These settings are mostly for performance tuning. Usually there is no need to change them at all. If there is some particular need to change the settings, you must create a custom Gateway Setting element. You cannot edit the Gateway Default Settings system element.

VPN Profiles The predefined VPN Profiles are provided to allow you to quickly try out VPNs without creating a VPN Profile yourself.
  • The VPN-A Suite VPN Profile contains the VPN settings specified for the cryptographic suite “VPN-A” in RFC 4308.
  • The Suite-B-GCM-128 and Suite-B-GCM-256 VPN Profiles contain the VPN settings specified for the respective cryptographic suites in RFC 6379.
  • The iOS Suite VPN Profile contains only iOS-compatible encryption algorithms and protocols. For example, iOS VPN clients only support IKEv1 key exchange, which must be enabled in the profile.

The predefined VPN Profiles also allow you to change settings that are not specified in RFC 4308 and RFC 6379. You might need to adjust the settings to achieve a valid VPN in some configurations.