Use a policy-based VPN to encrypt tunnels in route-based VPNs

You can use a policy-based VPN to provide encryption for route-based VPN tunnels.

Before you begin

Define the policy-based VPN that provides the encryption.

Using a policy-based VPN to encrypt tunnels in a route-based VPN allows you to do the following:

  • Encrypt multiple tunnels in the same VPN tunnel. This configuration improves compatibility with third-party devices and cloud-based services that do not support multiple, separately encrypted tunnels.
  • Create multiple tunnels between remote and local sites when only one public IP address is available.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create a Host element.
    1. Select Configuration, then browse to Network Elements.
    2. Right-click Hosts, then select New Host.
    3. In the IPv4 Address or IPv6 Address field, enter the same IP address as the endpoint you use in the route-based VPN.
      Note: You might receive a warning that the IP address of the Host element is not unique. Ignore the warning and save the element.
    4. Configure the other settings according to your needs.
    5. Click OK.
  2. Configure the VPN settings for the engine that acts as the VPN gateway.
    1. Right-click the Secure SD-WAN Engine, then select Edit <element type>.
    2. Browse to SD-WAN > Endpoints, then define at least two endpoints: one for the policy-based VPN and one for the route-based VPN.
    3. Browse to Sites, then add the Host element to the site for the VPN Gateway.
    4. Click Save.
  3. Configure the policy-based VPN that provides the encryption.
    1. Open the policy-based VPN for editing.
    2. On the Site-to-Site SD-WAN tab, add the VPN Gateway that represents the engine to the Central Gateways or Satellite Gateways list.
    3. Click Save.
  4. Create the Route-Based VPN Tunnel element.
    1. Select Configuration, then browse to Secure SD-WAN.
    2. Browse to Route-Based SD-WAN Tunnels.
    3. Right-click Route-Based SD-WAN Tunnels, then select New Route-Based SD-WAN Tunnel.
    4. Use the following settings:
      Setting Configuration
      Tunnel type GRE, IP-IP, or SIT.
      Encryption Tunnel Mode.
      VPN Select the policy-based VPN that provides the encryption.
      Local engine Select the same VPN Gateway that is used in the policy-based VPN.
      CVI Select the CVI that has the same IP address as the endpoint that is used in the policy-based VPN.

      Configure the other settings according to your needs.

    5. Click OK.
  5. Add Access rules to allow traffic between the internal network and the networks that are reachable through the route-based VPN tunnels.
    Note: The Access rules that direct the route-based VPN traffic into the policy-based VPN are automatically generated for the Engines associated with the VPN Gateway elements. The rules are not visible in the Engine policy, and cannot be edited. If a policy that contains the automatically generated rules is installed on a Engine that is not involved in the VPN, the rules are ignored.
    1. Open the Engine policy for editing.
    2. Add IPv4 Access rules or IPv6 Access rules that have the following settings:
      Source Destination Service Action
      Elements that represent the internal network Elements that represent the networks that are reachable through the route-based VPN tunnels. Select a service, or set to ANY. Allow
      Configure the other settings for the rules according to your needs.
    3. Click Save.
    4. Install the policy on all Engines that are involved in the VPNs.