How policy-based VPNs work

In policy-based VPNs, the Access rules determine which traffic is sent into the VPN tunnels.

Site-to-site and mobile VPNs

You can create VPNs between gateway devices or between a VPN client and a gateway device:

  • A site-to-site VPN is created between two or more gateway devices that provide VPN access to several hosts in their internal networks. Site-to-site VPNs are supported for IPv4 and IPv6 traffic.
  • A mobile VPN is created between a VPN client running on an individual computer and a gateway device.

Figure: Site-to-site and mobile VPNs



For mobile VPNs, we recommend using the Forcepoint VPN Client solution. Forcepoint VPN Client is available for the following platforms:
  • Android (SSL VPN only)
  • Mac OS (SSL VPN only)
  • Windows (IPsec or SSL VPN)
In mobile VPNs with IPsec tunnels, you can alternatively use a third-party IPsec-compatible VPN client. However, third-party clients do not support all features offered by Forcepoint NGFW.
Note: Most VPN clients that are a part of a vendor-specific VPN gateway solution are incompatible with gateways from other vendors.

The following limitations apply to mobile VPNs:

  • All mobile VPNs that you configure in Forcepoint NGFW must be valid for Forcepoint VPN Client even if you use only third-party VPN client software.
  • VPN clients cannot connect directly to firewalls that have a dynamic IP address.

    Instead, VPN clients connect through a central gateway that forwards the connections to the non-compatible gateways using a site-to-site VPN.

Types of encryption for tunnels in policy-based VPNs

Tunnels in policy-based VPNs can use two types of encryption:
  • IPsec — The IPsec protocol allows any IP traffic to be transported in the VPN regardless of which higher-level protocol the traffic uses on top of the IP protocol. Hosts can communicate through the VPN as if it was a normal link without the need for application-specific configurations on the gateway device. IPsec is part of both the IPv4 and IPv6 standards. IPsec is defined in RFC 4301.

    You can use IPsec VPN tunnels in both site-to-site and mobile VPNs.

  • SSL VPN — SSL VPN tunnels use secure sockets layer (SSL) encryption to provide secure remote access. You can use SSL VPN tunnels in mobile VPNs.

You can use SSL VPN tunnels alone, IPsec tunnels alone, or both SSL VPN and IPsec tunnels together in the same policy-based VPN.