Define VPN tunnel settings for policy-based VPNs
The Tunnels tab in the Policy-Based VPN editing view allows you to define settings particular to individual tunnels or disable some tunnels altogether.
The topology of the policy-based VPN (defined on the Site-to-Site VPN tab) determines which tunnels are shown on the Tunnels tab. If you have set up connection forwarding between the gateways on the Site-to-Site VPN tab, the number of generated tunnels is reduced according to the relationships and the capabilities of the gateway that forwards the traffic. The forwarding relationships are shown under Forwarding Gateways.
There are two types of tunnels:
- The Gateway<->Gateway list shows connections between pairs of gateways.
- The Endpoint<->Endpoint list shows the individual connections that form the tunnels in the Gateway<->Gateway list. There can be several connections at this level for any Gateway pair if one or both of the Gateways have multiple endpoints (Multi-Link). If both Gateways have only one endpoint, there is only one tunnel also at this level for the Gateway pair.
If a VPN Gateway has a Multi-Link VPN configuration, you can select whether to use tunnels as backups or actively balance traffic between them. Multi-Link is specific to Forcepoint NGFW, and is not part of the IPsec standard. You might not be able to use Multi-Link with third-party gateways. Satisfactory results can be achieved if the third-party gateway allows ICMP probes, RTT ICMP probes, and supports DPD. You can disable redundant tunnels to the third-party gateway on the Tunnels tab if necessary.
This tab is also where you can view the link summary. The link summary is a summary of addresses and settings that have been configured for individual tunnels. You might want to check the link summary when there are complex setups involving external components (such as a VPN hub configuration).
Before editing a policy-based VPN that is used in active VPNs, we recommend making a backup of the Management Server.
For more details about the product and how to configure features, click Help or press F1.
Steps
Next steps
Add Access rules and possibly also NAT rules to direct outgoing traffic to the VPN and allow incoming traffic from the VPN.
Policy-Based VPN editing view
Use this view to create and modify policy-based virtual private networks (VPN).
Option | Definition |
---|---|
Resources | Use this pane to create and add elements to a VPN. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
New | Opens the associated dialog box to create an element. |
Tools |
|
Option | Definition |
---|---|
Editor toolbar | |
Save | Saves the changes. |
Tools menu | |
Properties | Opens the VPN Properties dialog box. |
Sign VPN Client Certificate | Opens the Sign VPN Client Certificate dialog box. |
Filter by Gateway | Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab. |
Filter by Firewall | Shows only tunnels where the selected firewall is used. Only available on the Tunnels tab. |
No Filtering | Disables filtering. |
Option | Definition |
---|---|
Site-to-Site VPN tab | |
Central Gateways list | Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN. |
Satellite Gateways list | Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN. |
Option | Definition |
---|---|
Mobile VPN tab | |
Select engines that provide Mobile VPN Access | Specifies the gateways that can be selected for mobile VPN access.
|
Option | Definition |
---|---|
Tunnels tab | |
Gateway A or Gateway B | VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
|
VPN Profile |
To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel. Right-clicking this type of cell opens these menu items:
|
Key | Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or
export the keys that have been automatically generated for your partner to use. To view, change, or export the pre-shared key, double-click . Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View
issues. You must resolve all problems indicated in the messages shown. Right-clicking this type of cell opens these menu items:
|
Forwarding Gateways | Right-clicking this type of cell opens these menu items:
|
Endpoint A or Endpoint B |
Select the endpoint IP addresses. You cannot use the same endpoint in a route-based VPN tunnel and a policy-based VPN tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Right-clicking this type of cell opens these menu items:
|
IPsec Profile | Right-clicking this type of cell opens these menu items:
|
Mode | Determines how the tunnel is used in a Multi-Link VPN. Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. Right-clicking this type of cell opens these menu items:
|
Option | Definition |
---|---|
Panes in the Policy-Based VPN editing view | |
Info pane | Shows information about the selected element. |
Issues pane | Shows issues in the VPN configuration, such as incompatible settings. |
Link Summary pane | Shows a summary of the policy-based VPN configuration. |
Link Summary tab (Policy-Based VPN)
Use this tab to view a summary of the Policy-Based VPN configuration.
Option | Definition |
---|---|
Network Elements A | Shows the internal networks or IP address ranges that are behind the gateway. |
Gateway A | The name of the VPN Gateway element. |
Endpoint A | The IP address of VPN endpoint A. |
Endpoint B | The IP address of VPN endpoint B. |
Gateway B | The name of the VPN Gateway element or the External VPN Gateway element. |
Network Elements B | Shows the internal networks or IP address ranges that are behind the gateway. |
IKE SA | The IKE SA settings for the VPN tunnel. |
IPsec SA | The IPsec SA settings for the VPN tunnel. |
Certificate | The VPN tunnel's certificate. |