Add a VPN site

The Site element defines the internal IP addresses that can send or receive traffic through the policy-based VPN.

You must define sites for all NGFW Engines and External VPN Gateways that are used in policy-based VPNs. You must also define sites for NGFW Engines and External VPN Gateways that are used in route-based VPN tunnels in which the value of the Encryption option is Tunnel Mode.

By default, each site is included in all VPNs where the gateway is used. Individual sites can be manually disabled in any VPN without affecting the other VPNs. It is not possible to partially disable sites. If the IP address space must be different in different VPNs, you need several sites. You can add as many Site elements as you need.

If traffic in the tunnel is subject to NAT, you must add the NAT addresses to the site. For NGFW Engines, you must add both the NAT addresses and any untranslated IP addresses that are not automatically added to the site. Sites for External VPN Gateways only require the translated address space that the NGFW Engine actually contacts.

The local and remote site definitions must match the same information about the other gateways involved in the VPN because the gateways verify this information during IKE negotiation. It might also make a difference whether addresses are entered as individual IP addresses, address ranges, or networks.

Note: Site definitions are applied globally to every VPN in which the Gateway is used unless you specifically adjust the VPN-specific site settings.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Gateways.
  3. Right-click a VPN Gateway or an External VPN Gateway, then select New > Site.
  4. Select the elements that represent the protected IP addresses behind the Gateway, then click Add to include them in this site.
    • Do not include IP addresses outside the Gateway’s local networks in the site. There is no need to include the Gateways’ own IP addresses in the sites. However, there is usually no need to exclude those addresses if they are in the networks you add to the site.
    • IP address ranges might be interpreted differently from lists of IP addresses and networks depending on the VPN device. The system converts Group or Expression elements into address ranges, networks, or individual IP addresses depending on the IP addresses included. Other VPN devices might treat the same types of values differently.
    • VPN Traffic Selector elements allow you to define the IP addresses, protocols, and ports used by a specific host in a VPN site.
  5. Click OK.

Next steps

If you edited a previously configured VPN, make sure that the configuration of any external VPN gateway device involved contains the same IP address information. Refresh the policy on all affected gateways to transfer the changes.

VPN Site Properties dialog box

Use this dialog box to view the properties of the VPN Client Site.

Option Definition
Name Specifies the unique name of the element.
Comment Shows a comment for the element.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New This option is not available in this dialog box.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the view.