In this configuration, you must create a Policy-Based VPN element.
Note: This configuration scenario does not explain all settings related to Policy-Based VPN elements.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Select Configuration, then browse to SD-WAN.
-
Right-click Policy-Based VPNs in the element tree and select New Policy-Based VPN.
-
In the
Name field, enter a unique name.
-
In the Default VPN Profile drop-down list, make sure that Suite-B-GCM-128 is selected.
Note: The VPN Profile element defines most of the IPsec settings. You can optionally create a custom VPN Profile element.
-
If you want to apply NAT rules to the communications that go through the VPN, select Apply NAT to traffic that uses this VPN.
This setting does not affect the communications that the two gateways have with each other to set up and maintain the VPN. Communications between the gateways are always matched
to the automatic rules or the NAT rules.
-
Click
OK.
The
VPN Editing view opens on the
Site-to-Site VPN tab.
-
To define which gateways can create a VPN with each other, drag and drop two or more VPN Gateway elements from the
Resources pane to the
Central Gateways or
Satellite Gateways lists.
- If you add a VPN Gateway to the Central Gateways, the VPN Gateway can establish a VPN with any other VPN Gateway in
this VPN (both Central and Satellite). Add at least one of the VPN Gateways under Central Gateways.
- If you add a VPN Gateway to the
Satellite Gateways, the VPN Gateway can establish a VPN only with VPN Gateways defined as Central in this VPN. You do not have to add any VPN Gateways to the
Satellite Gateways (all gateways can be Central).
Note: Be careful that you do not accidentally drop VPN Gateway elements on top of other VPN Gateway elements. This configuration creates a hub topology where the top-level VPN Gateway forwards connections from other components to the lower-level VPN Gateway.
-
On the Tunnels tab, make sure that the Validity column in the Gateway<->Gateway and the
End-Point<->End-Point tables has a green check mark to indicate that there are no problems.
-
If the Validity column of a tunnel has a warning icon, see the Issues pane to check what the problem is. If the pane is not
shown, select .
-
If issues are shown, correct them as indicated. Long issues are easiest to read by hovering the cursor over the issue text so that the text is shown as a tooltip.
-
Click Save to save the Policy-Based VPN.
Next steps
Create Access rules