Define endpoints for VPN Gateway elements
Each endpoint is dedicated for one VPN Gateway element.
Any IP address that is already an endpoint for another VPN Gateway element is not shown on the Endpoints list for other Gateways that you create for the same NGFW Engine. Each VPN Gateway element can be used in several VPNs. However, you cannot use the same pair of local and remote endpoints in different VPN configurations for the same NGFW Engine.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > VPN > Endpoints
Use this branch to change the endpoint settings that are used when the NGFW Engine acts as a VPN gateway.
Option | Definition |
---|---|
Enabled | When selected, the endpoint IP address is active. |
Name | Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown. |
IP Address | Shows the IP address of the endpoint. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
Options | Shows the optional settings that have been selected for the endpoint. |
Phase-1 ID | Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations. |
VPN Type | Shows the types of VPNs that the endpoint can be used in. |
Edit | Allows you to change the properties of the selected endpoint. |
Endpoint Properties dialog box
Use this dialog box to define the properties of internal endpoints.
Option | Definition |
---|---|
Name | The name of the endpoint. If no name is entered, the IP address is used. |
IP Address | The IP address of the endpoint. |
Dynamic | Automatically selected if the endpoint has a dynamic IP address. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
NAT-T | Activates encapsulation for NAT traversal in site-to-site VPNs, which might be needed to traverse a NAT device at the local or at the remote gateway end.
|
Contact Addresses section | This section cannot be edited. The contact addresses for endpoints are defined in the Interface properties. |
Default | Used by default whenever a component that belongs to another Location connects to this interface. |
Dynamic | Used when the endpoint has a dynamic IP address. Note: Dynamic contact addresses are not supported on SSID Interfaces.
|
Exceptions | Opens the Exceptions dialog box. |
Phase-1 ID section | |
ID Type | Identifies the Gateways during the IKE phase-1 negotiations.
|
ID Value | Specifies the details of the ID Type. |
VPN Type section | |
All types | Restricts the types of VPNs that the endpoint can be used in. |
Selected types only | Select one or more options.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.
|
Connection Type Properties dialog box
Use this dialog box to create and edit Connection Type elements that define which endpoints can communicate with each other, and how endpoints are used in a Multi-Link configuration.
Option | Definition |
---|---|
Name | The name of the element. |
Link Type | Identifies the type of ISP connection. |
Mode | Defines how the endpoint is used in a Multi-Link configuration.
|
Connectivity Group | The connectivity group to which the endpoint belongs. Tunnels are created only between endpoints that belong to the same connectivity group. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Comment (Optional) |
A comment for your own reference. |
Exceptions dialog box
Use this dialog box to add VPN-specific exceptions for the phase-1 ID in policy-based VPNs.
Option | Definition |
---|---|
VPN | Shows the VPN to which the exception applies. |
ID Type | Shows the phase-1 ID type used in the exception.
|
ID Value | Specifies the value of the phase-1 ID used in the exception. |
Add | Adds a phase-1 ID of the selected type and opens the Select VPN dialog box. |
Remove | Removes the selected row from the table. |