How route-based VPNs work

Devices that provide VPN access are called VPN gateways. With route-based VPNs, you can create only site-to-site VPN tunnels between gateway devices.

There are two general types of VPN gateways in the SMC:

  • VPN Gateway elements are NGFW Engines that are managed by the Management Server and administrative Domain you are currently connected to with your Management Client.
  • All other gateway devices are External VPN Gateway elements. NGFW Engines that are managed by a different Management Server or administrative Domain are also External VPN Gateway elements.

Due to the various authentication and encryption methods that the IPsec protocol supports, the number of settings is rather high. To reduce configuration work, you can use reusable profiles for storing different types of settings. These and other elements related to route-based VPN configurations are pictured in this illustration.

Figure: Route-based VPN configuration example

The NGFW Engine and External Gateway refer to a Gateway Profile element that contains information about the capabilities of different types of gateways.
The NGFW Engine optionally refers to a Gateway Settings element that defines settings for advanced VPN performance tuning.
The NGFW Engine has a Tunnel Interface element defined.
The Tunnel Interface refers to a Route-Based VPN Tunnel element.
The NGFW Engine has a VPN Gateway element defined.
One VPN Gateway is automatically created for each NGFW Engine in the Firewall/VPN role.
The Route-Based VPN Tunnel element refers to both ends of the VPN tunnel: the VPN Gateway and External Gateway.
The Route-Based VPN Tunnel also refers to a VPN Profile, which contains the IPsec authentication and encryption settings (IKE settings)


It is not possible to create a mobile VPN tunnel using route-based VPN tunnels.