Example VPN configuration 1: Basic VPN between NGFW Engines

This scenario shows an example of how to create a policy-based VPN between two or more NGFW Engines managed through the same SMC.

This example VPN requires all firewalls to have a static IP address (not assigned using DHCP or PPPoE).

The address spaces protected by the different NGFW Engines that act as gateways must not overlap within any single VPN. If you use the same IP addresses at the different locations, you must apply NAT to the communications. You must also define the sites using the translated IP addresses that are used inside the VPN tunnels.

This scenario uses the default Suite-B-GCM-128 VPN profile that contains the VPN settings specified for the Suite-B-GCM-128 cryptographic suite in RFC 6379. The profile uses pre-shared keys for authentication.

The configuration consists of the following general steps:

1. Configure VPN settings for the NGFW Engines.
2. Create a Policy-Based VPN element.
3. Create Access rules.

Begin by configuring VPN settings for the NGFW Engines.