Changing tunnels in a VPN

You can add or remove tunnels in a VPN.

Note: Before changing the tunnels that are used in active VPNs, we recommend that you back up the Management Server.

You must add or remove Route-Based VPN Tunnel elements manually.

In a policy-based VPN, the gateway topology and the number of active endpoints in each gateway element determine the number of tunnels generated for a VPN. After changing the topology of a policy-based VPN, always check that all new or changed tunnels are valid on the Tunnels tab.

  • Each central gateway forms a tunnel with each central and satellite gateway in the VPN. No other Gateway<->Gateway tunnels are created. Tunnels are not generated between endpoints that cannot connect to each other. For example, tunnels are not generated between two endpoints if they both have a dynamic IP address.
  • Adding a gateway under another gateway instead of directly at the main level in the central gateways list can prevent tunnel generation. This configuration implies that the gateway at the main level forwards connections to the gateways below it in the hierarchy. For the forwarding to work, it must be explicitly configured in the central gateway’s Access rules with the Use VPN > Forward action.
  • Endpoint<->endpoint tunnels are created between all endpoints defined in the properties of any two gateways that form a Gateway<->Gateway tunnel.