Configuring route-based VPNs

Route-based VPNs are implemented according to IPsec standards.

The information here assumes that you are already familiar with the basic concepts of building IPsec VPNs and concentrates on the features available in Forcepoint NGFW. Understanding basic IPsec concepts helps you configure VPNs. We recommend reading the general overview to VPNs and IPsec before moving on to this section.

Route-Based VPN Tunnel elements represent endpoints on the engine. Tunnel Interfaces allow routing information to be used to determine the correct VPN tunnel to use.

When route-based VPN tunnels uses IPsec in transport mode between tunnel endpoints, the packets are not encapsulated into new IPsec packets. Instead, the original headers of the packet are left intact, and the IP payload of the packet is encrypted. IPsec transport mode is used to encrypt the packets. Other encapsulation, such as generic routing encapsulation (GRE) or IP in IP (IP-IP), must be used to add the tunnel endpoint IP addresses in front of the original packet header.

When a route-based VPN tunnel uses IPsec in tunnel mode, the encryption is provided by a policy-based VPN.

In route-based VPNs, the routing defines which traffic is sent through the VPN tunnel. The Antispoofing configuration is automatically generated for tunnel interfaces. The routing configuration also determines the physical network interfaces on the engine to which the tunnel interfaces are automatically mapped. You can statically define which networks are reachable through each tunnel interface. You can also use dynamic routing to create the routes for traffic to be sent through the VPN tunnels.

  1. Create a tunnel interface for one end of the VPN.
  2. Create a tunnel interface for the other end of the VPN.
  3. Create a Route-Based VPN Tunnel element that references both ends of the VPN.
  4. (Optional) Create Monitoring Groups to group Route-Based VPN Tunnel elements.
  5. Create Access rules to allow traffic between the internal network and the networks that are reachable through the route-based VPNs.