Define VPN topology for policy-based VPNs
For a valid policy-based VPN, you must have at least two gateways in the VPN. At least one of the gateways must be listed as a central gateway. The satellite gateways list can be left empty (for a full-mesh topology).
- Which gateways are included in the VPN.
- Which gateways form tunnels with each other.
- Which gateways contact each other through a hub gateway instead of contacting each other directly.
You define general VPN topology by classifying gateways as Central Gateways or Satellite Gateways. This classification defines which tunnels are generated on the Tunnels tab, and which gateways can be selected for mobile VPN access on the Mobile VPN tab.
IPv4 Access rules control which connections use the VPN tunnels. Always check the Access rules after you add or remove tunnels.
For more details about the product and how to configure features, click Help or press F1.
Steps
Policy-Based SD-WAN editing view
Use this view to create and modify policy-based VPNs.
Option | Definition |
---|---|
Resources | Use this pane to create and add elements to a VPN. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
New | Opens the associated dialog box to create an element. |
Tools |
|
Option | Definition |
---|---|
Editor toolbar | |
Save | Saves the changes. |
Tools menu | |
Properties | Opens the SD-WAN Properties dialog box. |
Sign VPN Client Certificate | Opens the Sign VPN Client Certificate dialog box. |
Filter by Gateway | Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab. |
Filter by Engine | Shows only tunnels where the selected engine is used. Only available on the Tunnels tab. |
No Filtering | Disables filtering. |
Option | Definition |
---|---|
Site-to-Site SD-WAN tab | |
Central Gateways list | Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN. |
Satellite Gateways list | Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN. |
Option | Definition |
---|---|
Mobile VPN tab | |
Select engines that provide Mobile VPN Access | Specifies the gateways that can be selected for mobile VPN access.
|
Option | Definition |
---|---|
Tunnels tab | |
Gateway A or Gateway B | VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
|
SD-WAN Profile |
To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel. Right-clicking this type of cell opens these menu items:
|
Key | Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or
export the keys that have been automatically generated for your partner to use. To view, change, or export the pre-shared key, double-click . Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View
issues. You must resolve all problems indicated in the messages shown. Right-clicking this type of cell opens these menu items:
|
Forwarding Gateways | Right-clicking this type of cell opens these menu items:
|
Endpoint A or Endpoint B |
Select the endpoint IP addresses. You cannot use the same endpoint in a Route-based VPN tunnel and a Policy-based VPN tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Right-clicking this type of cell opens these menu items:
|
IPsec Profile | Right-clicking this type of cell opens these menu items:
|
Mode | Determines how the tunnel is used in a Multi-Link VPN. Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. Right-clicking this type of cell opens these menu items:
|
Option | Definition |
---|---|
Panes in the Policy-Based SD-WAN editing view | |
Info pane | Shows information about the selected element. |
Issues pane | Shows issues in the VPN configuration, such as incompatible settings. |
Link Summary pane | Shows a summary of the policy-based VPN configuration. |
Issues pane (Policy-Based SD-WAN editing view)
Use this pane to view and solve VPN issues.
Option | Definition |
---|---|
Description | A description of the issue and recommendations for troubleshooting. |
Gateway A | The name of the VPN Gateway element. |
Endpoint A | The IP address of VPN endpoint A. |
Gateway B | The name of the VPN Gateway element or the External VPN Gateway element. |
Endpoint B | The IP address of VPN endpoint B. |