Define endpoints for VPN Gateway elements

Each endpoint is dedicated for one VPN Gateway element.

Any IP address that is already an endpoint for another VPN Gateway element is not shown on the Endpoints list for other Gateways that you create for the same NGFW Engine. Each VPN Gateway element can be used in several VPNs. However, you cannot use the same pair of local and remote endpoints in a Route-Based VPN Tunnel element and a tunnel in a policy-based VPN.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Firewall, then select Edit Single Firewall or Edit Firewall Cluster.
  2. Browse to VPN > Endpoints.
  3. (Optional) Change the selection of IP addresses that you want to use as endpoints in VPNs.
    • Typically, these are IP addresses that belong to interfaces toward the Internet, which are automatically selected based on the firewall’s default routing table.
    • If loopback IP addresses are defined for the NGFW Engine, you can select a loopback IP address as the endpoint IP address. On clustered firewalls, the IP addresses are CVIs.
    • (Optional) If you have more than one Internet connection, select an IP address from each ISP.
  4. Double-click the endpoint, then configure the following optional settings according to your environment.
    1. (Optional) In the Name field, enter a descriptive name for the endpoint.
    2. (Multi-Link tunnels only) From the Mode drop-down list, select the Connection Type element that defines how the endpoint is used in a Multi-Link configuration.
      You can override these settings in each individual VPN.
    3. (Optional) From the Use NAT-T drop-down list, select an option to activate encapsulation for NAT traversal in site-to-site VPNs.
      You might need NAT traversal to traverse a NAT device at the local or at the remote gateway end. The gateway always allows VPN clients to use NAT-T regardless of these settings. NAT-T always uses the standard UDP port 4500.
      Note: If a private external IP address is translated to a public IP address by an external NAT device, make sure that Contact Addresses and Locations are defined for the Firewall.
      Note: The TCP Tunneling option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
  5. In the Phase-1 ID settings, select an option from the ID Type drop-down list according to your environment.
    • The ID identifies the Gateways during the IKE SA negotiations.
    • The Distinguished Name type is only valid in certificate-based authentication.
    • The IP Address type is not valid for endpoints with a dynamic IP address.
  6. In the ID Value field, enter an ID value according to the selected ID type.
    • If you selected DNS Name, enter a DNS name.
    • If you selected Email, enter an email address.
    • If you selected Distinguished Name, enter the distinguished name that is used in the gateway certificate.
    • If the endpoint has a dynamic IP address, enter a specific IP address as the value for the IP Address type.
      Note: If the endpoint has a static IP address, the value for the IP Address type is filled in automatically.
  7. (Optional) If the endpoint must use different Phase-1 ID settings in individual policy-based VPNs, add VPN-specific exceptions.
    1. Click Exceptions.
    2. Click Add, then select the type of ID from the drop-down list.
    3. Select a Policy-Based VPN element, then click Select.
    4. In the ID Value cell, enter the value of the ID.
  8. (Optional) In the VPN Type settings, restrict the types of VPNs that the endpoint can be used in.
    1. Select Selected types only.
    2. Select one or more types of VPNs.
  9. Click OK to save your changes to the endpoint.
  10. Save the changes.
    • To save the changes, click Save.
    • To save the changes and refresh the security policy on the engine, click Save and Refresh.

Engine Editor – VPN – End-Points

Use this branch to change the endpoint settings that are used when the engine acts as a VPN gateway.

Option Definition
Enabled When selected, the endpoint IP address is active.
Name Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown.
IP Address Shows the IP address of the endpoint.
Mode The Connection Type element that defines how the endpoint is used in a Multi-Link configuration.
Options Shows the optional settings that have been selected for the endpoint.
Phase-1 ID Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations.
VPN Type Shows the types of VPNs that the endpoint can be used in.
Edit Allows you to change the properties of the selected endpoint. Opens the Properties dialog box.

Properties dialog box (Internal endpoints)

Use this dialog box to define the properties of internal endpoints.

Option Definition
Name The name of the endpoint.
IP Address The IP address of the endpoint.
Dynamic Automatically selected if the endpoint has a dynamic IP address.
Mode Specifies the Connection Type element that defines which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration.
Note: Tunnels are created only between endpoints that belong to the same connectivity group.
NAT-T Activates encapsulation for NAT traversal in site-to-site VPNs, which might be needed to traverse a NAT device at the local or at the remote gateway end.
  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option if you want to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Use UDP encapsulation This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Use TCP Tunneling Port on This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Contact Addresses The contact addresses for endpoints are defined in the Interface properties.
Default

(Not enabled)

Used by default whenever a component that belongs to another Location connects to this interface.
Dynamic

(Not enabled)

Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
Exceptions Opens the Exceptions dialog box.
Phase-1 ID
ID Type Identifies the Gateways during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. Only valid in certificate-based authentication. You can only add one DN value for each VPN Gateway.
  • IP Address — An IP address identifies the gateway. For static IP addresses, filled in automatically according to the IP address you defined for this endpoint.
    Note: Not valid for endpoints with a dynamic IP address.
Exceptions Adds VPN-specific exceptions for the Phase-1 ID. Opens the Exceptions dialog box.
ID Value Specifies the details of the ID Type.
VPN Type
All types Restricts the types of VPNs that the endpoint can be used in.
Selected types only Select one or more options.
  • IPsec VPN — The endpoint can be used in IPsec tunnels.
  • SSL VPN Tunnel — The endpoint can be used in SSL VPN tunnels.
  • SSL VPN Portal — The endpoint can be used to access the SSL VPN Portal.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.

Properties dialog box (loopback endpoints)

Use this dialog box to define the properties of loopback endpoints.

Option Definition
Name The name of the endpoint.
IP Address The IP address of the endpoint.
Dynamic Automatically selected if the endpoint has a dynamic IP address.
Mode Specifies the Connection Type element that defines which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration.
Note: Tunnels are created only between endpoints that belong to the same connectivity group.
NAT-T Activates encapsulation for NAT traversal in site-to-site VPNs, which might be needed to traverse a NAT device at the local or at the remote gateway end.
  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option if you want to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Use UDP encapsulation This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Use TCP Tunneling Port on This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Contact Addresses The contact addresses for endpoints are defined in the Interface properties.
Default (Not enabled) Used by default whenever a component that belongs to another Location connects to this interface.
Dynamic (Not enabled) Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
Exceptions Opens the Exceptions dialog box.
Phase-1 ID
ID Type Identifies the Gateways during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. Only valid in certificate-based authentication. You can only add one DN value for each VPN Gateway.
  • IP Address — An IP address identifies the gateway. For static IP addresses, filled in automatically according to the IP address you defined for this endpoint.
    Note: Not valid for endpoints with a dynamic IP address.
Exceptions Adds VPN-specific exceptions for the Phase-1 ID. Opens the Exceptions dialog box.
ID Value Specifies the details of the ID Type.
VPN Type
All types Restricts the types of VPNs that the endpoint can be used in.
Selected types only Select one or more options.
  • IPsec VPN — The endpoint can be used in IPsec tunnels.
  • SSL VPN Tunnel — The endpoint can be used in SSL VPN tunnels.
  • SSL VPN Portal — The endpoint can be used to access the SSL VPN Portal.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.

Connection Type Properties dialog box

Use this dialog box to create and edit Connection Type elements that define which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration.

Option Definition
Name The name of the element.
Mode Defines how the endpoint is used in a Multi-Link configuration.
  • Active — The link is always used. If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the load of the links. VPN traffic is directed to the link that has the lowest load.
  • Aggregate — The link is always used, and each VPN connection is load-balanced in round-robin fashion between all the links that are in Aggregate mode. For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links.
  • Standby — The link is used only when all Active or Aggregate mode links are unusable.
Connectivity Group The connectivity group to which the endpoint belongs. Tunnels are created only between endpoints that belong to the same connectivity group.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

A comment for your own reference.

Exceptions dialog box

Use this dialog box to add VPN-specific exceptions for the phase-1 ID in policy-based VPNs.

Option Definition
VPN Shows the VPN to which the exception applies.
ID Type Shows the phase-1 ID type used in the exception.
ID Value Specifies the value of the phase-1 ID used in the exception.
Add Adds a phase-1 ID of the selected type and opens the Select VPN dialog box.
  • Distinguished Name — The Distinguished Name field in the gateway's certificate identifies the gateway. Only valid in certificate-based authentication.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • IP Address — An IP address identifies the gateway. For static IP addresses, filled in automatically according to the IP address you defined for this endpoint.
    Note: Not valid for endpoints with a dynamic IP address.
Remove Removes the selected row from the table.