Defining Site elements for VPN gateways

The Site element defines the internal IP addresses that can send or receive traffic through the VPN.

Note: In route-based VPNs, the site information is ignored. In route-based VPN the site definition is always 0.0.0.0/0 for IPv4 and ::/0 for IPv6 (any network).

The IP addresses work like routing definitions when the gateway selects which VPN tunnel a packet is sent through. The Site elements must contain the IP addresses of all protected hosts that potentially send or receive VPN traffic through any site-to-site or mobile VPN. IP addresses that are not included in the Site elements are not allowed as source or destination addresses in policy-based VPNs.

Note: An IP address must be included in a Site to be valid in the VPN. The Access rules define which connections are allowed to enter and exit a VPN tunnel.

By default, each site is included in all VPNs where the gateway is used. You can manually disable individual sites in individual VPNs without affecting other VPNs. It is not possible to partially disable sites. If the IP address space must be different in different VPNs, you need several sites. You can define as many Site elements as you need.