Use a policy-based VPN to encrypt tunnels in route-based VPNs

You can use a policy-based VPN to provide encryption for route-based VPN tunnels.

Before you begin

Define the policy-based VPNs that provide the encryption.

Using a policy-based VPN to encrypt tunnels in a route-based VPN allows you to do the following:

  • Encrypt multiple tunnels in the same VPN tunnel. This configuration improves compatibility with third-party devices and cloud-based services that do not support multiple, separately encrypted tunnels.
  • Create multiple tunnels between remote and local sites when only one public IP address is available.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create a Host element.
    1. Select Configuration, then browse to Network Elements.
    2. Right-click Hosts, then select New Host.
    3. In the IPv4 Address or IPv6 Address field, enter the same IP address as the endpoint you use in the route-based VPN.
      Note: You might receive a warning that the IP address of the Host element is not unique. Ignore the warning and save the element.
    4. Configure the other settings according to your needs.
    5. Click OK.
  2. Configure the VPN settings for the firewall that acts as the VPN gateway.
    1. Right-click the NGFW Engine, then select Edit <element type>.
    2. Browse to VPN > Endpoints, then define at least two endpoints: one for the policy-based VPN and one for the route-based VPN.
    3. Browse to Sites, then add the Host element to the site for the VPN Gateway.
    4. Click Save.
  3. Configure the policy-based VPN that provides the encryption.
    1. Open the policy-based VPN for editing.
    2. On the Site-to-Site VPN tab, add the VPN Gateway that represents the firewall to the Central Gateways or Satellite Gateways list.
    3. Click Save.
  4. Create the Route-Based VPN Tunnel element.
    1. Select Configuration, then browse to SD-WAN.
    2. Browse to Route-Based VPN Tunnels.
    3. Right-click Route-Based VPN Tunnels, then select New Route-Based VPN Tunnel.
    4. Use the following settings:
      Setting Configuration
      Tunnel type GRE, IP-IP, or SIT.
      Encryption Tunnel Mode.
      VPN Select the policy-based VPN that provides the encryption.
      Local firewall Select the same VPN Gateway that is used in the policy-based VPN.
      CVI Select the CVI that has the same IP address as the endpoint that is used in the policy-based VPN.

      Configure the other settings according to your needs.

    5. Click OK.
  5. Add Access rules to allow traffic between the internal network and the networks that are reachable through the route-based VPN tunnels.
    Note: The Access rules that direct the route-based VPN traffic into the policy-based VPN are automatically generated for the Firewalls associated with the VPN Gateway elements. The rules are not visible in the Firewall policy, and cannot be edited. If a policy that contains the automatically generated rules is installed on a Firewall that is not involved in the VPN, the rules are ignored.
    1. Open the Firewall policy for editing.
    2. Add IPv4 Access rules or IPv6 Access rules that have the following settings:
      Source Destination Service Action
      Elements that represent the internal network Elements that represent the networks that are reachable through the route-based VPN tunnels. Select a service, or set to ANY. Allow
      Configure the other settings for the rules according to your needs.
    3. Click Save.
    4. Install the policy on all Firewalls that are involved in the VPNs.