You can use a policy-based VPN to provide encryption for route-based VPN tunnels.
Before you begin
Define the policy-based VPN that provides the encryption.
Using a policy-based VPN to encrypt tunnels in a route-based VPN allows you to do the following:
- Encrypt multiple tunnels in the same VPN tunnel. This configuration improves compatibility with third-party devices and cloud-based services that do not support multiple, separately encrypted
tunnels.
- Create multiple tunnels between remote and local sites when only one public IP address is available.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Create a Host element.
-
Select
Configuration, then browse to Network Elements.
-
Right-click Hosts, then select New Host.
-
In the IPv4 Address or IPv6 Address field, enter the same IP address as the endpoint you use in the route-based VPN.
Note: You might receive a warning that the IP address of the Host element is not unique. Ignore the warning and save the element.
-
Configure the other settings according to your needs.
-
Click
OK.
-
Configure the VPN settings for the engine that acts as the VPN gateway.
-
Right-click the Secure SD-WAN Engine, then select Edit <element type>.
-
Browse to , then define at least two endpoints: one for the policy-based VPN and one for the route-based VPN.
-
Browse to Sites, then add the Host element to the site for the VPN Gateway.
-
Click
Save.
-
Configure the policy-based VPN that provides the encryption.
-
Open the policy-based VPN for editing.
-
On the Site-to-Site SD-WAN tab, add the VPN Gateway that represents the engine to the Central Gateways or
Satellite Gateways list.
-
Click
Save.
-
Create the Route-Based VPN Tunnel element.
-
Select
Configuration, then browse to Secure SD-WAN.
-
Browse to Route-Based SD-WAN Tunnels.
-
Right-click Route-Based SD-WAN Tunnels, then select New Route-Based SD-WAN Tunnel.
-
Use the following settings:
Setting |
Configuration |
Tunnel type |
GRE, IP-IP, or SIT. |
Encryption |
Tunnel Mode. |
VPN |
Select the policy-based VPN that provides the encryption. |
Local engine |
Select the same VPN Gateway that is used in the policy-based VPN. |
CVI |
Select the CVI that has the same IP address as the endpoint that is used in the policy-based VPN. |
Configure the other settings according to your needs.
-
Click OK.
-
Add Access rules to allow traffic between the internal network and the networks that are reachable through the route-based VPN tunnels.
Note: The Access rules that direct the route-based VPN traffic into the policy-based VPN are automatically generated for the Engines associated with the VPN Gateway elements. The
rules are not visible in the Engine policy, and cannot be edited. If a policy that contains the automatically generated rules is installed on a Engine that is not involved in
the VPN, the rules are ignored.
-
Open the Engine policy for editing.
-
Add IPv4 Access rules or IPv6 Access rules that have the following settings:
Source |
Destination |
Service |
Action |
Elements that represent the internal network |
Elements that represent the networks that are reachable through the route-based VPN tunnels. |
Select a service, or set to ANY. |
Allow |
Configure the other settings for the rules according to your needs.
-
Click
Save.
-
Install the policy on all Engines that are involved in the VPNs.