Define endpoints for VPN Gateway elements
Each endpoint is dedicated for one VPN Gateway element.
Any IP address that is already an endpoint for another VPN Gateway element is not shown on the Endpoints list for other Gateways that you create for the same NGFW Engine. Each VPN Gateway element can be used in several VPNs. However, you cannot use the same pair of local and remote endpoints in a Route-Based VPN Tunnel element and a tunnel in a policy-based VPN.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor – VPN – End-Points
Use this branch to change the endpoint settings that are used when the engine acts as a VPN gateway.
Option | Definition |
---|---|
Enabled | When selected, the endpoint IP address is active. |
Name | Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown. |
IP Address | Shows the IP address of the endpoint. |
Mode | The Connection Type element that defines how the endpoint is used in a Multi-Link configuration. |
Options | Shows the optional settings that have been selected for the endpoint. |
Phase-1 ID | Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations. |
VPN Type | Shows the types of VPNs that the endpoint can be used in. |
Edit | Allows you to change the properties of the selected endpoint. Opens the Properties dialog box. |
Properties dialog box (Internal endpoints)
Use this dialog box to define the properties of internal endpoints.
Option | Definition |
---|---|
Name | The name of the endpoint. |
IP Address | The IP address of the endpoint. |
Dynamic | Automatically selected if the endpoint has a dynamic IP address. |
Mode | Specifies the Connection Type element that
defines which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration. Note: Tunnels are created only between endpoints that
belong to the same connectivity group.
|
NAT-T | Activates encapsulation for NAT traversal in site-to-site VPNs, which might be needed to traverse a NAT device at the local or at the remote gateway end.
|
Use UDP encapsulation | This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later. |
Use TCP Tunneling Port on | This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later. |
Contact Addresses | The contact addresses for endpoints are defined in the Interface properties. |
Default
(Not enabled) |
Used by default whenever a component that belongs to another Location connects to this interface. |
Dynamic
(Not enabled) |
Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
|
Exceptions | Opens the Exceptions dialog box. |
Phase-1 ID | |
ID Type | Identifies the Gateways during the IKE phase-1 negotiations.
|
Exceptions | Adds VPN-specific exceptions for the Phase-1 ID. Opens the Exceptions dialog box. |
ID Value | Specifies the details of the ID Type. |
VPN Type | |
All types | Restricts the types of VPNs that the endpoint can be used in. |
Selected types only | Select one or more options.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN
Portal.
|
Properties dialog box (loopback endpoints)
Use this dialog box to define the properties of loopback endpoints.
Option | Definition |
---|---|
Name | The name of the endpoint. |
IP Address | The IP address of the endpoint. |
Dynamic | Automatically selected if the endpoint has a dynamic IP address. |
Mode | Specifies the Connection Type element that
defines which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration. Note: Tunnels are created only between endpoints that
belong to the same connectivity group.
|
NAT-T | Activates encapsulation for NAT traversal in site-to-site VPNs, which might be needed to traverse a NAT device at the local or at the remote gateway end.
|
Use UDP encapsulation | This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later. |
Use TCP Tunneling Port on | This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later. |
Contact Addresses | The contact addresses for endpoints are defined in the Interface properties. |
Default | (Not enabled) Used by default whenever a component that belongs to another Location connects to this interface. |
Dynamic | (Not enabled) Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
|
Exceptions | Opens the Exceptions dialog box. |
Phase-1 ID | |
ID Type | Identifies the Gateways during the IKE phase-1 negotiations.
|
Exceptions | Adds VPN-specific exceptions for the Phase-1 ID. Opens the Exceptions dialog box. |
ID Value | Specifies the details of the ID Type. |
VPN Type | |
All types | Restricts the types of VPNs that the endpoint can be used in. |
Selected types only | Select one or more options.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN
Portal.
|
Connection Type Properties dialog box
Use this dialog box to create and edit Connection Type elements that define which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration.
Option | Definition |
---|---|
Name | The name of the element. |
Mode | Defines how the endpoint is used in a Multi-Link configuration.
|
Connectivity Group | The connectivity group to which the endpoint belongs. Tunnels are created only between endpoints that belong to the same connectivity group. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Comment (Optional) |
A comment for your own reference. |
Exceptions dialog box
Use this dialog box to add VPN-specific exceptions for the phase-1 ID in policy-based VPNs.
Option | Definition |
---|---|
VPN | Shows the VPN to which the exception applies. |
ID Type | Shows the phase-1 ID type used in the exception. |
ID Value | Specifies the value of the phase-1 ID used in the exception. |
Add | Adds a phase-1 ID of the selected type and opens the Select VPN dialog box.
|
Remove | Removes the selected row from the table. |