Define VPN client settings for Forcepoint NGFW
The Engine Editor contains settings for assigning valid IP addresses to VPN clients for connections through the VPN to the internal network.
If you use Stonesoft VPN Client, configure the Virtual Adapter. The alternative NAT Pool method does not allow the Stonesoft VPN Client computers to use your organization’s internal DNS servers. Virtual IP addresses work with all Stonesoft VPN Client versions and with third-party VPN clients that support this feature.
If you use Stonesoft VPN Client, the policy-based VPN configuration defined in the Management Client is also used for creating the configuration for Stonesoft VPN Client. Stonesoft VPN Client downloads the settings from the VPN gateway either manually or automatically whenever there are relevant changes. All IPsec and address management settings are included in the download. For example, the download includes information about which encryption methods are used and which internal networks clients can access through the gateway. The decision whether a VPN tunnel is used is based on the IP addresses you have defined for the Sites of the gateway.
- All IPsec-related settings, such as the authentication, encryption, and integrity checking options.
- The encryption domain (the IP addresses that are allowed in the VPN as a source or destination IP address).
If a VPN Gateway that contains VPN Client settings is used in a route-based VPN, the VPN Client settings are ignored.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor – VPN – VPN Client
Use this branch to change settings that are used when the engine acts as a VPN Gateway in a mobile VPN.
Option | Definition |
---|---|
Gateway Display Name | If you want to display a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element. |
VPN Type | Defines the type of tunnels the mobile VPN supports.
|
SSL Port (SSL VPN only) |
The port for SSL VPN tunnels. |
TLS Cryptography Suite Set (SSL VPN only) |
The cryptographic suite for SSL VPN tunnels. Click Select to select an element. Note: Do not change the default setting unless you have a specific reason to do
so.
|
Authentication Timeout (SSL VPN only) |
The timeout for Stonesoft VPN Client user authentication. |
Option | Definition |
---|---|
Local Security Checks section | Defines whether the Stonesoft VPN Client checks for the presence of basic security software to
stop connections from risky computers.
|
Option | Definition |
---|---|
Virtual Address section | Options for configuring the Stonesoft VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN. |
DHCP Mode | Specifies how DHCP requests from VPN clients are sent.
Note: If
SSL VPN or
Both IPsec & SSL VPN is selected from the
VPN Type drop-down list, only the
Direct and
DHCP Relay are shown.
|
Interface
(Direct DHCP mode only) |
The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
Interface for DHCP Relay
(Relay DHCP mode only) |
The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
DHCP Server (NGFW < 5.9)
(Direct DHCP mode only) |
The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is intended for backward compatibility with
Forcepoint NGFW versions earlier than version 5.9.
|
DHCP Servers
(Relay DHCP mode only) |
The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element. |
Add Information (Optional) | Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
|
Restrict Virtual Address Ranges | When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right. |
Proxy ARP | When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right. |
Option | Definition |
---|---|
Secondary IPsec VPN Gateways section (Optional) (IPsec VPN type only) |
Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |