Define VPN tunnel settings for policy-based VPNs

The Tunnels tab in the Policy-Based VPN editing view allows you to define settings particular to individual tunnels or disable some tunnels altogether.

The topology of the policy-based VPN (defined on the Site-to-Site VPN tab) determines which tunnels are shown on the Tunnels tab. If you have set up connection forwarding between the gateways on the Site-to-Site VPN tab, the number of generated tunnels is reduced according to the relationships and the capabilities of the gateway that forwards the traffic. The forwarding relationships are shown under Forwarding Gateways.

There are two types of tunnels:

  • The Gateway<->Gateway list shows connections between pairs of gateways.
  • The Endpoint<->Endpoint list shows the individual connections that form the tunnels in the Gateway<->Gateway list. There can be several connections at this level for any Gateway pair if one or both of the Gateways have multiple endpoints (Multi-Link). If both Gateways have only one endpoint, there is only one tunnel also at this level for the Gateway pair.

If a VPN Gateway has a Multi-Link VPN configuration, you can select whether to use tunnels as backups or actively balance traffic between them. Multi-Link is specific to Forcepoint NGFW, and is not part of the IPsec standard. You might not be able to use Multi-Link with third-party gateways. Satisfactory results can be achieved if the third-party gateway allows ICMP probes, RTT ICMP probes, and supports DPD. You can disable redundant tunnels to the third-party gateway on the Tunnels tab if necessary.

This tab is also where you can view the link summary. The link summary is a summary of addresses and settings that have been configured for individual tunnels. You might want to check the link summary when there are complex setups involving external components (such as a VPN hub configuration).

Before editing a policy-based VPN that is used in active VPNs, we recommend making a backup of the Management Server.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Policy-Based VPNs.
  3. Right-click the Policy-Based VPN element, then select Edit.
  4. Click the Tunnels tab.
  5. (Optional) If there are tunnels listed that are not needed, right-click the tunnel, then select Disable.
    Duplicate tunnels are not allowed between VPNs. If another VPN already defines a tunnel between the same endpoints, disable the duplicate tunnel in one of the VPNs.
  6. If you use pre-shared keys for authentication with external gateways, either set a key with your partner or export the keys that have been generated for your partner.
    To view, change, or export the pre-shared key for a particular tunnel, double-click in the Key column in the Gateway<->Gateway list. This pre-shared key is used only with gateway devices. Set pre-shared keys for third-party VPN clients in the User elements. The Forcepoint VPN Client does not allow pre-shared key authentication.
    CAUTION:
    The pre-shared key must be long and random to provide a secure VPN. Change the pre-shared key periodically (for example, monthly). Make sure that it is not possible for outsiders to obtain the key while you transfer it to other devices.
  7. (Optional) Change the VPN Profile used at the tunnel level to override the profile selected for the VPN element:
    • If you change a profile for a tunnel on the Gateway<->Gateway list, both IKE SA and IPsec SA settings are overridden from the default for the VPN.
    • If you change a profile for a tunnel on the Endpoint<->Endpoint list, only the IPsec SA settings are overridden from the selection for the main tunnel on the gateway level.
  8. (Optional, Multi-Link only) Select the Mode in which Endpoint<->Endpoint links are used.
    1. Select a tunnel on the Gateway<->Gateway list.
    2. Right-click the Mode column for a link on the Endpoint<->Endpoint list, then select the mode from the right-click menu.
    The Mode that you select for a link overrides the Mode setting in the endpoint properties. You can also configure the link’s Mode to be automatically calculated based on the Mode defined for the endpoints. You can also define QoS Exceptions to select the Mode based on the QoS class of the traffic that is directed to the link.
  9. (Optional) To review the IP addresses and settings used in the individual tunnels, right-click the tunnels on the Endpoint<->Endpoint list, then select View Link Summary.
  10. After making all changes, check the Validity column for all tunnels.
    1. If a tunnel has a warning icon in the Validity column, right-click the tunnel, then select View Issues.
    2. Resolve all problems indicated in the messages shown.
    If all tunnels are shown as valid, the policy-based VPN is correctly configured, although the Management Server cannot check all possible problems in this view. More issues might be shown at policy installation. Any validation and issues that are shown for external gateways are based only on the definitions that have been entered manually into the related elements.
  11. Click Save.

Next steps

Add Access rules and possibly also NAT rules to direct outgoing traffic to the VPN and allow incoming traffic from the VPN.

Policy-Based VPN editing view

Use this view to create and modify policy-based virtual private networks (VPN).

Option Definition
Resources Use this pane to create and add elements to a VPN.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New Opens the associated dialog box to create an element.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the interface tree.
  • Sign VPN Client Certificate — Opens the Sign VPN Client Certificate dialog box.
  • Show Certificates — Shows certificates for VPN gateways.
  • Show Sites — Shows sites for VPN gateways.
  • Show Certificate Requests — Shows certificate requests for VPN gateways.
Option Definition
Editor toolbar
Save Saves the changes.
Tools menu
Properties Opens the VPN Properties dialog box.
Sign VPN Client Certificate Opens the Sign VPN Client Certificate dialog box.
Filter by Gateway Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab.
Filter by Firewall Shows only tunnels where the selected firewall is used. Only available on the Tunnels tab.
No Filtering Disables filtering.
Option Definition
Site-to-Site VPN tab
Central Gateways list Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN.
Satellite Gateways list Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN.
Option Definition
Mobile VPN tab
Select engines that provide Mobile VPN Access Specifies the gateways that can be selected for mobile VPN access.
  • None — None of the VPN gateways provide mobile VPN access.
  • Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways list on the Site-to-Site VPN tab provide mobile VPN access.
  • All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access.
  • Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways tree provide mobile VPN access.
Option Definition
Tunnels tab
Gateway A or Gateway B VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
  • Properties — Opens the element properties. For VPN Gateway elements, this action opens the Engine Editor.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate Regular Missing Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Monitoring — Opens the Logs view or another Monitoring view according to the option selected from the Monitoring menu.
  • Add Category — Adds a Category to the selected element.
  • Tools
    • Export Elements — Exports the selected element.
    • Generate Certificate — Opens the Generate Certificate dialog box.
    • Export iOS VPN Configuration Profile — Exports a configuration profile for Forcepoint VPN Client for iOS.
    • Save Gateway Contact Information — Saves the contact information for the selected gateway.
    • Lock — Prevents edits until the element is unlocked. Opens the Lock Properties dialog box.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
VPN Profile

To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel.

Right-clicking this type of cell opens these menu items:
  • Edit VPN Profile — Opens a menu from which you can select the VPN Profile.
  • Properties — Opens the VPN Profile Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Select Profile — Opens the Select Profile dialog box.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Tools
    • Export Elements — Exports the selected element.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Key Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or export the keys that have been automatically generated for your partner to use.

To view, change, or export the pre-shared key, double-click .

Right-clicking this type of cell opens these menu items:
  • Edit Key — Opens the Pre-Shared Key dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View issues. You must resolve all problems indicated in the messages shown.
Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Forwarding Gateways Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Endpoint A or Endpoint B

Select the endpoint IP addresses. You cannot use the same endpoint in a route-based VPN tunnel and a policy-based VPN tunnel.

If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address.

Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Logs by VPN Endpoint — Opens the Logs view and shows log data related to the VPN endpoint.
IPsec Profile Right-clicking this type of cell opens these menu items:
  • Edit IPsec Profile — Opens the VPN Profile Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Select Profile — Opens the Select Profile dialog box.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Tools
    • Export Elements — Exports the selected element.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Mode Determines how the tunnel is used in a Multi-Link VPN.
Right-clicking this type of cell opens these menu items:
  • Edit Mode — Opens the Link Mode Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Standby — The link is used only when all Active or Aggregate mode links are unusable.
  • Active — The link is always used.

    If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the links’ load. VPN traffic is directed to the link that has the lowest load.

  • Aggregate — The link is always used and each VPN connection is load-balanced in round robin fashion between all the links that are in the Aggregate mode.

    For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links.

  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity Verifies if the tunnel is valid.
Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Option Definition
Panes in the Policy-Based VPN editing view
Info pane Shows information about the selected element.
Issues pane Shows issues in the VPN configuration, such as incompatible settings.
Link Summary pane Shows a summary of the policy-based VPN configuration.

Link Summary tab (Policy-Based VPN)

Use this tab to view a summary of the Policy-Based VPN configuration.

Option Definition
Network Elements A Shows the internal networks or IP address ranges that are behind the gateway.
Gateway A The name of the VPN Gateway element.
Endpoint A The IP address of VPN endpoint A.
Endpoint B The IP address of VPN endpoint B.
Gateway B The name of the VPN Gateway element or the External VPN Gateway element.
Network Elements B Shows the internal networks or IP address ranges that are behind the gateway.
IKE SA The IKE SA settings for the VPN tunnel.
IPsec SA The IPsec SA settings for the VPN tunnel.
Certificate The VPN tunnel's certificate.