Define endpoints for External VPN Gateways

Each endpoint is dedicated for one External VPN Gateway element.

Before you begin

You must have an External VPN Gateway element.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the External VPN Gateway element, then select Properties.
  2. On the Endpoints tab, click Add.
  3. Configure the following optional settings according to your environment if needed.
    1. (Optional) In the Name field, enter a descriptive name for the endpoint.
    2. (Policy-Based VPNs only) From the Mode drop-down list, select an option to define how the endpoint is used in a Multi-Link configuration.
      You can override these settings in each individual VPN.
    3. (Optional) From the Use NAT-T drop-down list, select an option to activate encapsulation for NAT traversal in site-to-site VPNs.
      You might need NAT traversal to traverse a NAT device at the local or at the remote gateway end. The gateway always allows VPN clients to use NAT-T regardless of these settings. NAT-T always uses the standard UDP port 4500.
      Note: If a private external IP address is translated to a public IP address by an external NAT device, make sure that Contact Addresses and Locations are defined for the Firewall.
    4. If necessary, change the default Contact Address or add Exceptions for the Locations of other gateways involved in the VPN.
      The Contact Address must be defined if the IP address for contacting this gateway is different from the IP address that the gateway actually has on its interface (for example, because of NAT).
      Example: An external gateway is behind a NAT device. The real address is defined as the endpoint address, because the IP address is also used as the Phase 1 ID inside the encrypted traffic. Contact must be made using the translated address, so it is defined as a Contact Address.
  4. In the Phase-1 settings, select an option from the ID Type drop-down list to according to your environment.
    • The ID identifies the Gateways during the IKE SA negotiations.
    • The Distinguished Name type is only valid in certificate-based authentication.
    • The IP Address might not work as an ID if the address is translated using NAT.
  5. In the ID Value field, enter an ID value according to the selected ID type.
    Note: Make sure that the ID value matches the identity configured on the external gateway device.
    • If you selected DNS Name, enter the DNS name that is configured on the external gateway device.
    • If you selected Email, enter the email address that is configured on the external gateway device.
    • If you selected Distinguished Name, enter the distinguished name that is used in the gateway certificate.
    • If the endpoint has a dynamic IP address, enter a specific IP address as the value for the IP Address type.
      Note: If the endpoint has a static IP address, the value for the IP Address type is filled in automatically.
  6. (Optional) If the endpoint must use different Phase-1 ID settings in individual policy-based VPNs, add VPN-specific exceptions.
    1. Click Exceptions.
    2. Click Add, then select the type of ID from the drop-down list.
    3. Select a Policy-Based VPN element, then click Select.
    4. In the ID Value cell, enter the value of the ID.
  7. Click OK to save your changes to the endpoint.

External Endpoint Properties dialog box

Use this dialog box to define the properties of an External Endpoint in an IPsec VPN.

Option Definition
Name Specifies a unique name for the element.
IP Address If the endpoint has a static (manually defined) IP address, enter the IP address. This IP address must be the IP address that is configured for the external device in its configuration.
Dynamic If the endpoint has a dynamic (DHCP-assigned) IP address, select this option.
Mode Defines how the system treats the endpoint in a Gateway with multiple endpoints. This option is a default setting for the tunnels that are generated for VPNs that use this Gateway. You can override the Mode setting in each VPN.
  • Active — Use the tunnels of this endpoint whenever possible and balance the traffic across the tunnels based on a performance measurement or based on the links' relative bandwidths.
  • Aggregate — Use the tunnels of this endpoint whenever possible and balance each connection between the tunnels in round-robin fashion.
  • Standby — Use the tunnels of this endpoint only if the Active or Aggregate endpoints cannot be used.
NAT-T Activates encapsulation for NAT traversal in VPNs, which might be needed to traverse a NAT device at the local or at the remote gateway end.
  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option if you want to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Use UDP encapsulation This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Contact Addresses
Default Used by default whenever a component that belongs to another Location connects to this endpoint.
Dynamic Select when the endpoint has a dynamic Default contact address.
Phase-1 ID
ID Type Identifies the gateway during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. Only valid in certificate-based authentication. You can only add one DN value for each External VPN Gateway.
  • IP Address — An IP address identifies the gateway. For static IP addresses, filled in automatically according to the IP address you defined for this endpoint.
    Note: Not valid for endpoints with a dynamic IP address.
Exceptions Adds VPN-specific exceptions for the Phase-1 ID. Opens the Exceptions dialog box.
ID Value Specifies the details of the ID Type.