Example VPN configuration 2: Basic VPN with a partner gateway

This scenario walks you through creating a site-to-site VPN between one NGFW Engine and one external VPN gateway that is not managed through the same SMC.

This example VPN requires the local firewall to have a static IP address (not assigned using DHCP or PPPoE).

The address spaces protected by the different VPN Gateways must not overlap within any single VPN. If you use the same IP addresses at the different locations, you must apply NAT to the communications and define the Sites using the translated IP addresses. The translated addresses are the addresses that are used inside the VPN tunnels.

You can create VPNs with IPsec-compliant gateway devices from many different manufacturers. You can create VPNs with partner organizations that use a third-party VPN solution. The authentication and encryption options to use must be decided beforehand in co-operation with the administrator of the other gateway.

The configuration consists of the following general steps:

1. Configure VPN settings for the NGFW Engine.
2. Create an External VPN Gateway element.
3. Define a site for the external VPN gateway.
4. Create a VPN Profile element.

   The VPN Profile must contain VPN settings that match the settings defined on the external VPN gateway.

5. Create a Policy-Based VPN element.
6. Create Access rules.

Begin by configuring VPN settings for the NGFW Engine.