Define VPN topology for policy-based VPNs

For a valid policy-based VPN, you must have at least two gateways in the VPN. At least one of the gateways must be listed as a central gateway. The satellite gateways list can be left empty (for a full-mesh topology).

The Policy-Based VPN editing view has three tabs. The gateway selection on the Site-to-Site VPN tab determines the following:
  • Which gateways are included in the VPN.
  • Which gateways form tunnels with each other.
  • Which gateways contact each other through a hub gateway instead of contacting each other directly.

You define general VPN topology by classifying gateways as Central Gateways or Satellite Gateways. This classification defines which tunnels are generated on the Tunnels tab, and which gateways can be selected for mobile VPN access on the Mobile VPN tab.

IPv4 Access rules control which connections use the VPN tunnels. Always check the Access rules after you add or remove tunnels.

Note: Each endpoint-to-endpoint tunnel can only exist in one active VPN. If you use the same two gateway elements in more than one VPN, make sure that the topology does not create duplicate tunnels. You can also disable any duplicates of existing tunnels on the Tunnels tab.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Policy-Based VPNs.
  3. Right-click the Policy-Based VPN element, then select Edit.
  4. On the Site-to-Site VPN tab, drag and drop the Gateways you want to include in this VPN into either of the two panes for the VPN topology.
    • If you add a gateway under Central Gateways, the gateway can establish a VPN with any other gateway in the VPN. The Tunnels tab is populated with tunnels between the endpoints of the gateway you add and the endpoints of all other gateways in the VPN.
    • If you add a gateway under Satellite Gateways, the gateway can establish a VPN only with central gateways in this VPN. The Tunnels tab is populated with tunnels between the endpoints of the gateway you add and the endpoints of the central gateways.
    • The Issues pane alerts you to any incompatible or missing settings that you must correct.
    Note: Be careful to not unintentionally drop gateways on top of other gateways. Dropping gateways on top of other gateways creates a forwarding relationship on a hub gateway.
  5. (Optional) If you want to forward connections from one VPN tunnel into another through a hub gateway, drag and drop a gateway on top of another gateway. The gateway is added under the other gateway at the same level as the Sites.
    The Gateway used as a hub requires a special Site configuration.
  6. (Optional) If you want to exclude a gateway’s Site (some IP addresses) from this VPN, right-click the Site element under the gateway, then select Disable.
  7. (Optional) Define which VPN Gateways provide Mobile VPN access.
    1. On the Mobile VPN tab, select one of the following options:
      • Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways listed on the Site-to-Site VPN tab provide mobile VPN access.
      • All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access.
      • Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways tree provide mobile VPN access. Drag and drop the VPN Gateways from the Resources pane.
  8. Click Save.

Issues pane (Policy-Based VPN editing view)

Use this pane to view and solve VPN issues.

Option Definition
Description A description of the issue and recommendations for troubleshooting.
Gateway A The name of the VPN Gateway element.
Endpoint A The IP address of VPN endpoint A.
Gateway B The name of the VPN Gateway element or the External VPN Gateway element.
Endpoint B The IP address of VPN endpoint B.