Defining Site elements for VPN gateways

The protected IP addresses behind each gateway are defined using Site elements.

In the IPsec standard, these IP addresses are called traffic selectors. The IP addresses work like routing definitions when the gateway selects which VPN tunnel a packet is sent through. The Site elements must contain the IP addresses of all protected hosts that potentially send or receive VPN traffic through any site-to-site or mobile VPN. IP addresses that are not included in the Site elements are not allowed as source or destination addresses in policy-based VPNs. You cannot add or change Site elements under the VPN Client Gateway element. The Site elements are always added globally for all policy-based VPNs where a Gateway is used, but unnecessary Site elements can be disabled in individual VPNs.

The VPN settings for NGFW Engines include a Site that is automatically populated and updated according to the routing definitions. All interfaces and networks are included in the automatic Site, except interfaces with the Any Network element. If loopback IP addresses are defined for the engine, you can use a loopback IP address as an endpoint IP address.

The Site elements must always contain the actual IP addresses that are used inside the VPN tunnel. If you enable NAT for a policy-based VPN and translate the local IP addresses, you must define the Site elements using the translated (after NAT) addresses. The NAT addresses are not added to the Site automatically.

A hub gateway forwards traffic from one VPN tunnel to another. If you want to use a central gateway as a hub, include all IP addresses that are accessible through the central gateway in the central gateway’s Site elements.

Note: An IP address must be included in a Site to be valid in the VPN. The Access rules define which connections are allowed to enter and exit a VPN tunnel.

The IP address information is also checked in the VPN establishment phase. When creating VPNs with external Gateways, make sure that the IP address spaces of both gateways are defined identically in the SMC and on the external device. Otherwise, the VPN establishment can fail in one or both directions. Make sure to update the policies of any firewalls that are involved in the VPN when there are changes in the Site elements at either end.