Configuring IPsec VPNs with external gateway devices

An External VPN Gateway is any VPN gateway that is not controlled by the same Management Server (and the same administrative Domain) on which you are configuring the gateway element.

Often, external gateway devices are at a partner organization, not under your control, and not Forcepoint NGFW devices. Because IPsec is a networking standard, you can create a VPN between gateways of different brands by selecting the settings you want identically for both gateways. Any option that both gateways support is a valid option for the VPN.

The settings that must match are:
  • The IKE SA settings.
  • The IPsec SA settings.
  • The site definitions (IP addresses) defined for both gateways at both ends (possibly translated using NAT).
  • The endpoint identity type and value. The endpoint identity value is often the IP address of each gateway, but other options are also possible.

When the listed settings are identical, the VPN works. Unfortunately, there are some practical problems that complicate matching the settings.

The first problem you might experience when you configure a VPN between different brands of gateways is how to agree on common settings. Every setting must match to produce a fully functional VPN, and the supported options can be partly different on the different gateways. There is not a single common standard for naming the different options. The two gateways might use a different name for the same authentication or encryption method. If Forcepoint NGFW devices are used as External VPN Gateways, you can export and import some settings between the two Management Servers (or between administrative Domains). However, many of the configurations must still be manually constructed.

The IP addresses accessible through each gateway are a commonly mismatched setting. In VPN Gateways controlled by the Management Server on which the VPN is configured, the IP addresses included in the policy-based VPN are defined as separate Site elements. The security association (SA) granularity setting defines whether a new VPN tunnel is established per each communicating host or per each network. In most gateways, there is an option for the SA setting. However, some gateways might select the SA automatically based on the type of IP address definition or even have a fixed setting.

Note: Site definitions are always defined for the VPN Gateway or External VPN Gateway element and are used in all policy-based VPNs where the same gateway is used. If you add a site to a gateway in one policy-based VPN, disable it in other policy-based VPNs where you do not want the site to be included.