Create External VPN Broker Gateway elements for VPN Broker high availability

External VPN Broker Gateways are remote VPN Broker gateways that are managed by a different NGFW Manager. You must create one External VPN Broker Gateway element to represent each remote VPN Broker gateway in each NGFW Manager.

Steps

  1. Browse to SD-WAN > VPN Broker > VPN Broker Gateway.


  2. Click New > External VPN Broker Gateway.
  3. Add a row in one of the following ways:
    • Click > Add VPN Endpoint to add the first row.
    • Click > New > VPN Broker Endpoint Before to add a row above the selected row.
    • Click > New > VPN Broker Endpoint After to add a row below the selected row.
  4. Configure the settings, then click Save.

Example

Fields marked with an asterisk in the user interface are mandatory.

Table 1. External VPN Broker Gateway properties
Option Definition

Endpoints table

To edit the contents of a cell, click the cell.

Click > New > VPN Broker Endpoint Before or > New > VPN Broker Endpoint After to add a row.

Info You can enter a name and a comment for the endpoint.
Endpoint Address Enter the IP address of the remote gateway.
Endpoint Class

Select a default system Connectivity Type element that has the appropriate mode selected. Type part of the name of an element or browse through the drop-down list to select an element.

The following system Connectivity Type elements are available:

  • Active — The link is always used. If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the load of the links. VPN traffic is directed to the link that has the lowest load.
  • Aggregate — The link is always used, and each VPN connection is load-balanced in round-robin fashion between all the links that are in Aggregate mode. For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links.
  • Standby — The link is used only when all Active or Aggregate mode links are unusable.
Enabled When selected, the endpoint is enabled. You can temporarily disable the endpoint without deleting it.
Used for Client Gateways When Yes is selected, VPN Broker members can communicate using the endpoint.

If there is an intermediate NAT device between this VPN Broker and VPN Broker members, add a contact address.

Used for Broker Servers When Yes is selected, external VPN Broker gateways can communicate using the endpoint.

If there is an intermediate NAT device between this VPN Broker and other VPN Broker gateways, add a contact address.

Shared Secret

To specify the shared secret that VPN Broker Gateways use to authenticate each other in a high availability configuration, click Shared Secret, enter the shared secret, then click Save.

Tip: We recommend that you make a note of the shared secret.
Note: Enter the same shared secret in the properties of each VPN Broker Gateway in the same VPN Broker Domain.
VPN Broker Gateway ID

Enter a unique ID number for the VPN Broker Gateway as an integer. The allowed range is 1–255.

Note: In the NGFW Manager, you enter the VPN Broker Gateway ID as a decimal number. However, the ID is converted internally to a hexadecimal number. For example, an ID of 10 is converted to 0A in the MAC address of the VPN Broker Gateway. The allowed range in hexadecimal numbers is 1–FF.

When a log entry is generated, the SMC uses this value to identify the VPN Broker that generated the log entry.

Tip: We recommend that you make a note of the VPN Broker Gateway ID for each VPN Broker Gateway.

Next steps

Create identical VPN Broker Member elements in each NGFW Manager.