Add gateways to an existing VPN
To create connectivity to different gateways, add new gateways to route-based VPN tunnels and policy-based VPNs.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > VPN
Use this branch to view the VPN Gateway elements associated with the NGFW Engine, and the VPNs where the VPN Gateway elements are used. You can optionally add more VPN Gateway elements.
Option | Definition |
---|---|
Add
(Optional) |
Adds a VPN Gateway element to the NGFW Engine. One VPN Gateway element is
automatically created for each NGFW Engine. You can use the same VPN Gateway element in multiple VPNs.
You might need to add VPN Gateway elements if you want to use different endpoint IP addresses in different types of VPNs. Click Remove to remove the selected element. |
Endpoints | |
Enabled | When selected, the endpoint IP address is active. |
Edit | Opens the Properties dialog box for the endpoint. |
Policy-Based VPN editing view
Use this view to create and modify policy-based virtual private networks (VPN).
Option | Definition |
---|---|
Resources | Use this pane to create and add elements to a VPN. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
New | Opens the associated dialog box to create an element. |
Tools |
|
Option | Definition |
---|---|
Editor toolbar | |
Save | Saves the changes. |
Tools menu | |
Properties | Opens the VPN Properties dialog box. |
Sign VPN Client Certificate | Opens the Sign VPN Client Certificate dialog box. |
Filter by Gateway | Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab. |
Filter by Firewall | Shows only tunnels where the selected firewall is used. Only available on the Tunnels tab. |
No Filtering | Disables filtering. |
Option | Definition |
---|---|
Site-to-Site VPN tab | |
Central Gateways list | Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN. |
Satellite Gateways list | Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN. |
Option | Definition |
---|---|
Mobile VPN tab | |
Select engines that provide Mobile VPN Access | Specifies the gateways that can be selected for mobile VPN access.
|
Option | Definition |
---|---|
Tunnels tab | |
Gateway A or Gateway B | VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
|
VPN Profile |
To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel. Right-clicking this type of cell opens these menu items:
|
Key | Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or
export the keys that have been automatically generated for your partner to use. To view, change, or export the pre-shared key, double-click . Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View
issues. You must resolve all problems indicated in the messages shown. Right-clicking this type of cell opens these menu items:
|
Forwarding Gateways | Right-clicking this type of cell opens these menu items:
|
Endpoint A or Endpoint B |
Select the endpoint IP addresses. You cannot use the same endpoint in a route-based VPN tunnel and a policy-based VPN tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Right-clicking this type of cell opens these menu items:
|
IPsec Profile | Right-clicking this type of cell opens these menu items:
|
Mode | Determines how the tunnel is used in a Multi-Link VPN. Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. Right-clicking this type of cell opens these menu items:
|
Option | Definition |
---|---|
Panes in the Policy-Based VPN editing view | |
Info pane | Shows information about the selected element. |
Issues pane | Shows issues in the VPN configuration, such as incompatible settings. |
Link Summary pane | Shows a summary of the policy-based VPN configuration. |
Route-Based VPN Tunnel Properties dialog box
Use this dialog box to define the properties of a Route-Based VPN Tunnel.
Option | Definition |
---|---|
Name | The name of the element. |
Enabled | When selected, the tunnel is enabled. |
Tunnel Type | Specifies the protocol used in the tunnel.
|
Encryption
(Not when Tunnel Type is VPN) |
The encryption mode for the tunnel.
|
VPN Profile
(Optional) (When Tunnel Type is VPN) (When Encryption is Transport Mode) |
The VPN Profile element that defines the settings for authentication, integrity checking, and encryption for the tunnel. Note: Settings in the VPN Profile that do not apply
to route-based VPN tunnels, such as IPsec Client settings, are ignored.
Examples of available profiles:
|
Edit
(Optional) (When Tunnel Type is VPN) (When Encryption is Transport Mode) |
Allows you to use pre-shared key authentication for the gateways involved in the tunnel. Note: The pre-shared key must be long and random to provide a secure VPN. Change the
pre-shared key periodically (for example, monthly). Make sure that it is not possible for outsiders to obtain the key while you transfer it to other devices.
|
VPN
(When Encryption is Tunnel Mode) |
The policy-based VPN that provides the encryption for the tunnel. Click Select to select an element, or click New to create an element. |
Option | Definition |
---|---|
Local section | |
Gateway or Firewall | The local gateway for the tunnel. Click Select to select an element. |
Endpoint (Not when Tunnel Type is VPN) |
Allows you to select the endpoint IP addresses for the tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Note: You cannot use the same endpoint pair in a route-based VPN tunnel and a policy-based VPN tunnel.
|
Interface | The tunnel interface though which route-based VPN traffic is routed. |
Option | Definition |
---|---|
Remote section | |
Internal
(Not when Tunnel Type is VPN) (Not when Encryption is Transport Mode) |
When selected, specifies that the remote gateway is an NGFW Engine that is managed by the same Management Server to which you are currently connected. |
External (Not when Tunnel Type is VPN) (Not when Encryption is Transport Mode) |
When selected, specifies that the remote gateway is a third-party device or an NGFW Engine that is managed by a different Management Server. |
IP Address
(External only) |
The IP address of the remote gateway. |
Gateway or
Firewall
(Internal only) |
The remote gateway in the tunnel. Click Select to select an element. |
Endpoint (Not when Tunnel Type is VPN) |
Allows you to select the endpoint IP addresses for the tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Note: You cannot use the same endpoint pair in a route-based VPN tunnel and a policy-based VPN tunnel.
|
Interface
(VPN Gateway elements only) |
The tunnel interface though which route-based VPN traffic is routed. |
Tunnels table (When Tunnel Type is VPN) |
|
Option | Definition |
---|---|
Tunnel Options section | |
PMTU Discovery
(All tunnel types except VPN) |
When selected, enables path MTU (PMTU) discovery. Select this option if you use dynamic routing and want to automatically determine the Maximum Transmission Unit (MTU) size on the network path to avoid IP fragmentation. |
TTL
(Optional) (All tunnel types except VPN) |
Specifies the initial time-to-live (TTL) value that is inserted into the encapsulation header of packets that enter the tunnel. This setting is needed when dynamic routing is used. You can usually use the default value. The default TTL value is 64. |
MTU
(Optional) |
Specifies the maximum transmission unit (MTU) value that defines the largest unit of data that can be transmitted without fragmenting a packet. Set the MTU size as large as possible, but not so large that it causes packets to be fragmented. You can usually use the default value. |
Tunnel Group (When Tunnel Type is VPN) (When Encryption is Transport Mode) |
Select the Tunnel Group to put the tunnel in. You can monitor the status of grouped tunnels in the Home view. By default, new tunnels are included in the Uncategorized group, which is a system Tunnel Group element. |
Use GRE Keepalive (When Tunnel Type is GRE and Encryption is No Encryption) |
When selected, the NGFW Engine sends keepalive packets at the specified interval to check that the GRE tunnel is still functioning. If no reply is received after the specified number of packets, the GRE tunnel is considered to be down.
Note: To use GRE keepalive, the router to which the NGFW Engine is connected must support GRE keepalive.
|
Comment (Optional) |
A comment for your own reference. |