Problems with VPNs with external gateways

There are some common problems and solutions when you create a VPN with an external gateway.

Both policy-based and route-based VPNs can form IPsec VPN tunnels with any other fully IPsec compliant device. Lists of VPN solutions that have been tested to be compatible are published by ICSA labs (https://⁠www.icsalabs.com).

Note: Make sure that you have successfully installed or refreshed the policy on all affected Firewalls after you have changed any part of the VPN configuration.
When creating a VPN with an external gateway:
  • There are no settings that always work with a device of a certain brand and model. Most IPsec settings depend on user preference and there are many alternative settings that you can use, regardless of the type of gateway.
  • Make sure that all VPN settings are the same at both ends (for both gateways at both ends: typically, four definitions in all).
  • Make sure that matching networks and netmasks are defined at both ends. In the SMC, all networks you want to be accessible through the VPN must be placed in a Site element attached to the correct Gateway element. The networks defined must be identical at the other end.
  • One commonly missed setting is the SA (Security Association) setting, which can be per net or per host. Some gateways might not have an explicit setting for the SA setting. Find out the setting used.
  • For third-party devices, check for parameters that are set in the VPN configuration in the Management Client but not on the other device. Find out the default settings used.
  • The problem might be due to an overlapping, but mismatching lifetime or encryption domain in the SMC, or the IP address definitions in Site elements under the following conditions:
    • The VPN works when the connection is initiated from one end, but not when initiated from the other.
    • The Firewall’s policy has rules for both ways.