Define a VPN site

You must define Site elements for all NGFW Engines and External VPN Gateways that are used in policy-based VPNs. You must also define sites for NGFW Engines and External VPN Gateways that are used in route-based VPN tunnels in which the value of the Encryption option is Tunnel Mode.

The Site elements must always contain the actual IP addresses that are used inside the VPN tunnel. If traffic in the tunnel is subject to NAT, you must add the NAT addresses to the site. For NGFW Engines, you must add both the NAT addresses and any untranslated IP addresses that are not automatically added to the site. Sites for External VPN Gateways only require the translated address space that the NGFW Engine actually contacts.

The local and remote site definitions must match the same information about the other gateways involved in the VPN because the gateways verify this information during IKE negotiation. When creating VPNs with external Gateways, make sure that the IP address spaces of both gateways are defined identically in the SMC and on the external device. Otherwise, the VPN establishment can fail in one or both directions. Make sure to update the policies of any firewalls that are involved in the VPN when there are changes in the Site elements at either end.

If you want to use a central gateway as a hub that forwards traffic from one VPN tunnel to another, include all IP addresses that are accessible through the central gateway in the central gateway’s Site elements.

Note: You cannot add or change Site elements under the VPN Client Gateway element.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Gateways.
  3. Right-click a VPN Gateway or an External VPN Gateway, then select New > Site.
  4. Select the elements that represent the protected IP addresses behind the Gateway, then click Add to include them in this site.
    • Do not include IP addresses outside the Gateway’s local networks in the site. There is no need to include the Gateways’ own IP addresses in the sites. However, there is usually no need to exclude those addresses if they are in the networks you add to the site.
    • IP address ranges might be interpreted differently from lists of IP addresses and networks depending on the VPN device. The system converts Group or Expression elements into address ranges, networks, or individual IP addresses depending on the IP addresses included. Other VPN devices might treat the same types of values differently.
    • VPN Traffic Selector elements allow you to define the IP addresses, protocols, and ports used by a specific host in a VPN site.
  5. Click OK.

Next steps

If you edited a previously configured VPN, make sure that the configuration of any external VPN gateway device involved contains the same IP address information. Refresh the policy on all affected gateways to transfer the changes.

VPN Site Properties dialog box

Use this dialog box to view or edit the properties a VPN site.

Option Definition
General tab
Name The name of the element.
Comment An optional comment for your own reference.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New This option is not available in this dialog box.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the view.
VPN References tab
VPN Shows the VPNs where this site is used.
Enable When selected, the site is enabled in the specified VPN.
Mode Defines the mode for the Site for each VPN in which it is enabled.
  • Normal — Use this mode for all active Site elements that do not require one of the other two modes.
  • Private — (VPN Gateways on NGFW Engines only) Use this mode for the local untranslated addresses when addresses are translated using NAT in the VPN. You must include the translated IP addresses (the addresses that the other end sees) as a Normal-mode Site element in these types of VPNs. If NAT is disabled in the VPN, any Sites in the Private mode are ignored.
  • Hub — Use this mode on a hub gateway in tunnel-to-tunnel forwarding. Hub mode Sites contain the IP addresses of the networks that are behind the remote spoke gateways (the networks between which the hub gateway forwards traffic). The automatically generated Site cannot be used as a Hub Site.