Defining VPN gateways
VPN Gateway and External VPN Gateway elements represent the physical devices that establish the VPN in the configuration.
- VPN Gateway elements represent Secure SD-WAN Engines that are managed by the Management Server and administrative Domain that you are currently
connected to with your Management Client. One VPN Gateway element is automatically created for each Secure SD-WAN in the Engine/VPN role. You can
optionally add more VPN Gateways to the Engine.
Each VPN Gateway can have multiple VPN endpoints but each endpoint can belong to only one VPN Gateway. For example, using multiple endpoints for a VPN Gateway is required for a Multi-Link VPN configuration.
- External VPN Gateway elements represent all other gateway devices. Secure SD-WAN Engines that are managed by a different Management Server or administrative Domain are also External VPN Gateway elements. External VPN Gateway elements define settings for the external gateway devices in their role as VPN gateways.
Only one VPN Gateway or External VPN Gateway element is required for each device, even if there are many VPNs. You can use the same Gateway in several different VPNs, possibly overriding some of the Gateway’s settings as necessary. You can create several Gateway elements to represent the same Engine. However, each Gateway element reserves a VPN endpoint (IP address) that other Gateway elements cannot use. You cannot use the same pair of endpoints for VPN tunnels in several configurations for a single Secure SD-WAN Engine.
The predefined VPN Client element represents all instances of the Forcepoint VPN Client and third-party IPsec VPN clients in mobile VPNs. When you set up a mobile VPN with the Forcepoint VPN Client, the VPN Client element must always be used. Usually, we recommend using the element with third-party VPN clients as well. However, it is possible to configure an individual third-party VPN client using an External VPN Gateway element if there is a specific need to do so. In this configuration, only one client at a time can connect to each gateway.