Create forwarding rules on hub gateways for policy-based VPNs
Create rules for forwarding policy-based VPN traffic from one tunnel to another and for forwarding tunneled traffic to the Internet.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
To forward policy-based VPN traffic from one tunnel to another, insert the following type of rule:
Table 1. Basic rule for forwarding policy-based VPN traffic Source Destination Service Action Source VPN Addresses in remote (spoke) networks as needed. Addresses in remote (spoke) networks as needed. Set as needed. Select Use VPN, change the Action to Forward, then click Select to add the Policy-Based VPN element into which matching traffic is forwarded. Double-click the cell to edit. Select Match traffic based on source VPN, then add one or more Policy-Based VPN elements according to where the traffic is coming from. -
To forward tunneled traffic to the Internet, insert the following type of rule:
In most cases, the source IP addresses are from a private address space. You must add a NAT rule to translate them to publicly routable IP addresses. Make sure that NAT is enabled in the properties of the Policy-Based VPN element. Add a NAT rule for the VPN traffic if a suitable NAT rule does not exist already.
Table 2. Rule for allowing traffic except if it arrives through policy-based VPNs Source Destination Service Action Source VPN Set as needed. Set as needed. Set as needed. Select Allow. Double-click the cell to edit. Select Match traffic based on source VPN, then add one or more Policy-Based VPN elements according to where the traffic is coming from. This rule does not match traffic from other sources. -
Configure the remote gateway or VPN clients to forward all traffic to the VPN.
- VPN clients — Configure the DHCP server to assign the hub gateway as the default gateway for the VPN clients.
- Forcepoint NGFW gateways — Create a VPN rule that directs all traffic to the policy-based VPN with the hub gateway.
Note: For the traffic to be allowed into the VPN, the destination IP address must be part of the Site definition of the hub gateway. When you forward Internet traffic, the hub’s Site must usually include the Any Network element. This Site can interfere with other VPN configurations. We recommend disabling it in other VPNs.