How policy-based VPNs work

In policy-based VPNs, the Access rules determine which traffic is sent into the VPN tunnels.

Types of tunnels in policy-based VPNs

Policy-based VPNs can have two types of tunnels:
  • IPsec tunnels — The IPsec protocol allows any IP traffic to be transported in the VPN regardless of which higher-level protocol the traffic uses on top of the IP protocol. Hosts can communicate through the VPN as if it was a normal link without the need for application-specific configurations on the gateway device. IPsec is part of both the IPv4 and IPv6 standards. IPsec is defined in RFC 4301.
  • SSL VPN tunnels — SSL VPNs use secure sockets layer (SSL) encryption to provide secure remote access. With SSL VPNs, authenticated users establish secure connections to internal HTTP-based services through a web browser or through a client application.

    You can also use SSL VPN tunnels with the Stonesoft VPN Client in mobile VPNs.

You can use SSL VPN tunnels alone, IPsec tunnels alone, or both SSL VPN and IPsec tunnels together in the same policy-based VPN.

Site-to-site and mobile VPNs

You can create VPNs between gateway devices or between a VPN client and a gateway device:

  • A site-to-site VPN is created between two or more gateway devices that provide VPN access to several hosts in their internal networks. Site-to-site VPNs are supported for IPv4 and IPv6 traffic.
  • A mobile VPN is created between a VPN client running on an individual computer and a gateway device. Mobile VPNs are supported only for IPv4 traffic.

Figure: Site-to-site and mobile VPNs

For mobile VPNs, we recommend using the Stonesoft VPN Client solution. Stonesoft VPN Client is available for the following platforms:
  • Android (SSL VPN only)
  • Mac OS (SSL VPN only)
  • Windows (IPsec or SSL VPN)
In mobile VPNs with IPsec tunnels, you can alternatively use a third-party IPsec-compatible VPN client. However, third-party clients do not support all features offered by Forcepoint NGFW.
Note: Most VPN clients that are a part of a vendor-specific VPN gateway solution are incompatible with gateways from other vendors.
The following limitations apply to mobile VPNs:
  • Mobile VPNs can only be created in policy-based VPNs.
  • All mobile VPNs that you configure in Forcepoint NGFW must be valid for Stonesoft VPN Client even if you use only third-party VPN client software.
  • VPN clients cannot connect directly to firewalls that have a dynamic IP address.

    Instead, VPN clients connect through a central gateway that forwards the connections to the non-compatible gateways using a site-to-site VPN.