Edit a Policy-based VPN
The Policy-based VPN element can be configured in two ways: the basic properties are defined in the Policy-Based VPN element’s properties. All other settings, including the included gateways, Sites, and tunnels are configured in the Policy-Based VPN editing view.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Select Configuration, then browse to Secure SD-WAN.
- Browse to Policy-Based SD-WAN.
-
Open the correct view for the settings that you want to edit:
- To edit the basic properties, right-click the Policy-Based SD-WANelement, then select Properties.
- To adjust the other settings, right-click the Policy-Based SD-WAN element, then select Edit <element name>.
Policy-Based SD-WAN Properties dialog box
Use this dialog box to change the properties of a Policy-based VPN.
Option | Definition |
---|---|
Name | The name of the element. |
Default SD-WAN Profile | Specifies the default VPN profile for the VPN. By default, this profile is used for all tunnels, but you can override the selection for individual tunnels. |
Link Usage Profile (Optional) |
To use dynamic link selection for Multi-Link VPNs, select a Link Usage Profile element. When you select a Link Usage Profile element in the properties of a policy-based VPN, route-based VPN tunnel group, or a VPN broker domain, the settings defined in the Link Usage Profile element are applied to all tunnels in the VPN according to their link types. |
DSCP QoS Policy
(Optional) |
Defines how DSCP matching or marking is done for VPN traffic in one of the following ways:
|
Apply NAT to traffic that uses this SD-WAN
(Optional) |
Select this option if you want the NAT rules in the Engine Policy to apply to traffic that it sends into or receives from the VPN, or if you want to use the NAT Pool feature to translate VPN client connections. This option affects the traffic that is transported inside the tunnels. This option does not affect the tunnel negotiations or the encrypted packets between gateways. These communications are always matched to NAT rules. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Comment (Optional) |
A comment for your own reference. |
Policy-Based SD-WAN editing view
Use this view to create and modify policy-based VPNs.
Option | Definition |
---|---|
Resources | Use this pane to create and add elements to a VPN. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
New | Opens the associated dialog box to create an element. |
Tools |
|
Option | Definition |
---|---|
Editor toolbar | |
Save | Saves the changes. |
Tools menu | |
Properties | Opens the SD-WAN Properties dialog box. |
Sign VPN Client Certificate | Opens the Sign VPN Client Certificate dialog box. |
Filter by Gateway | Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab. |
Filter by Engine | Shows only tunnels where the selected engine is used. Only available on the Tunnels tab. |
No Filtering | Disables filtering. |
Option | Definition |
---|---|
Site-to-Site SD-WAN tab | |
Central Gateways list | Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN. |
Satellite Gateways list | Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN. |
Option | Definition |
---|---|
Mobile VPN tab | |
Select engines that provide Mobile VPN Access | Specifies the gateways that can be selected for mobile VPN access.
|
Option | Definition |
---|---|
Tunnels tab | |
Gateway A or Gateway B | VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
|
SD-WAN Profile |
To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel. Right-clicking this type of cell opens these menu items:
|
Key | Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or
export the keys that have been automatically generated for your partner to use. To view, change, or export the pre-shared key, double-click . Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View
issues. You must resolve all problems indicated in the messages shown. Right-clicking this type of cell opens these menu items:
|
Forwarding Gateways | Right-clicking this type of cell opens these menu items:
|
Endpoint A or Endpoint B |
Select the endpoint IP addresses. You cannot use the same endpoint in a Route-based VPN tunnel and a Policy-based VPN tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Right-clicking this type of cell opens these menu items:
|
IPsec Profile | Right-clicking this type of cell opens these menu items:
|
Mode | Determines how the tunnel is used in a Multi-Link VPN. Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. Right-clicking this type of cell opens these menu items:
|
Option | Definition |
---|---|
Panes in the Policy-Based SD-WAN editing view | |
Info pane | Shows information about the selected element. |
Issues pane | Shows issues in the VPN configuration, such as incompatible settings. |
Link Summary pane | Shows a summary of the policy-based VPN configuration. |