Example VPN configuration 1: create a Policy-Based VPN element

In this configuration, you must create a Policy-Based VPN element.

Note: This configuration scenario does not explain all settings related to Policy-Based VPN elements.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Secure SD-WAN.
  2. Right-click Policy-Based SD-WANs in the element tree and select New Policy-Based SD-WAN.
  3. In the Name field, enter a unique name.
  4. In the Default SD-WAN Profile drop-down list, make sure that Suite-B-GCM-128 is selected.
    Note: The VPN Profile element defines most of the IPsec settings. You can optionally create a custom VPN Profile element.
  5. If you want to apply NAT rules to the communications that go through the VPN, select Apply NAT to traffic that uses this SD-WAN.
    This setting does not affect the communications that the two gateways have with each other to set up and maintain the VPN. Communications between the gateways are always matched to the automatic rules or the NAT rules.
  6. Click OK.
    The SD-WAN Editing view opens on the Site-to-Site SD-WAN tab.
  7. To define which gateways can create a VPN with each other, drag and drop two or more VPN Gateway elements from the Resources pane to the Central Gateways or Satellite Gateways lists.
    • If you add a VPN Gateway to the Central Gateways, the VPN Gateway can establish a VPN with any other VPN Gateway in this VPN (both Central and Satellite). Add at least one of the VPN Gateways under Central Gateways.
    • If you add a VPN Gateway to the Satellite Gateways, the VPN Gateway can establish a VPN only with VPN Gateways defined as Central in this VPN. You do not have to add any VPN Gateways to the Satellite Gateways (all gateways can be Central).
    Note: Be careful that you do not accidentally drop VPN Gateway elements on top of other VPN Gateway elements. This configuration creates a hub topology where the top-level VPN Gateway forwards connections from other components to the lower-level VPN Gateway.
  8. On the Tunnels tab, make sure that the Validity column in the Gateway<->Gateway and the End-Point<->End-Point tables has a green check mark to indicate that there are no problems.
    1. If the Validity column of a tunnel has a warning icon, see the Issues pane to check what the problem is. If the pane is not shown, select Menu > View > Panels > Issues.
    2. If issues are shown, correct them as indicated. Long issues are easiest to read by hovering the cursor over the issue text so that the text is shown as a tooltip.
  9. Click Save to save the Policy-Based VPN.

Next steps

Create Access rules

Policy-Based SD-WAN Properties dialog box

Use this dialog box to change the properties of a Policy-based VPN.

Option Definition
Name The name of the element.
Default SD-WAN Profile Specifies the default VPN profile for the VPN.

By default, this profile is used for all tunnels, but you can override the selection for individual tunnels.

Link Usage Profile

(Optional)

To use dynamic link selection for Multi-Link VPNs, select a Link Usage Profile element.

When you select a Link Usage Profile element in the properties of a policy-based VPN, route-based VPN tunnel group, or a VPN broker domain, the settings defined in the Link Usage Profile element are applied to all tunnels in the VPN according to their link types.

DSCP QoS Policy

(Optional)

Defines how DSCP matching or marking is done for VPN traffic in one of the following ways:
  • Select an existing QoS Policy from the list.
  • Select Select, then select an existing QoS Policy or click Tools > New to create a QoS Policy.
Apply NAT to traffic that uses this SD-WAN

(Optional)

Select this option if you want the NAT rules in the Engine Policy to apply to traffic that it sends into or receives from the VPN, or if you want to use the NAT Pool feature to translate VPN client connections. This option affects the traffic that is transported inside the tunnels. This option does not affect the tunnel negotiations or the encrypted packets between gateways. These communications are always matched to NAT rules.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

A comment for your own reference.

Policy-Based SD-WAN editing view

Use this view to create and modify policy-based VPNs.

Option Definition
Resources Use this pane to create and add elements to a VPN.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New Opens the associated dialog box to create an element.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the interface tree.
  • Sign VPN Client Certificate — Opens the Sign VPN Client Certificate dialog box.
  • Show Certificates — Shows certificates for VPN gateways.
  • Show Sites — Shows sites for VPN gateways.
  • Show Certificate Requests — Shows certificate requests for VPN gateways.
Option Definition
Editor toolbar
Save Saves the changes.
Tools menu
Properties Opens the SD-WAN Properties dialog box.
Sign VPN Client Certificate Opens the Sign VPN Client Certificate dialog box.
Filter by Gateway Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab.
Filter by Engine Shows only tunnels where the selected engine is used. Only available on the Tunnels tab.
No Filtering Disables filtering.
Option Definition
Site-to-Site SD-WAN tab
Central Gateways list Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN.
Satellite Gateways list Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN.
Option Definition
Mobile VPN tab
Select engines that provide Mobile VPN Access Specifies the gateways that can be selected for mobile VPN access.
  • None — None of the VPN gateways provide mobile VPN access.
  • Only central Gateways from overall topology — Only the SD-WAN Gateways in the Central Gateways list on the Site-to-Site SD-WAN tab provide mobile VPN access.
  • All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access.
  • Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways tree provide mobile VPN access.
Option Definition
Tunnels tab
Gateway A or Gateway B VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
  • Properties — Opens the element properties. For VPN Gateway elements, this action opens the Engine Editor.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate Regular Missing Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Monitoring — Opens the Logs view or another Monitoring view according to the option selected from the Monitoring menu.
  • Add Category — Adds a Category to the selected element.
  • Tools
    • Export Elements — Exports the selected element.
    • Generate Certificate — Opens the Generate Certificate dialog box.
    • Export iOS SD-WAN Configuration Profile — Exports a configuration profile for Forcepoint VPN Client for iOS.
    • Save Gateway Contact Information — Saves the contact information for the selected gateway.
    • Lock — Prevents edits until the element is unlocked. Opens the Lock Properties dialog box.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
SD-WAN Profile

To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel.

Right-clicking this type of cell opens these menu items:
  • Edit SD-WAN Profile — Opens a menu from which you can select the VPN Profile.
  • Properties — Opens the SD-WAN Profile Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Select Profile — Opens the Select Profile dialog box.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Tools
    • Export Elements — Exports the selected element.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Key Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or export the keys that have been automatically generated for your partner to use.

To view, change, or export the pre-shared key, double-click .

Right-clicking this type of cell opens these menu items:
  • Edit Key — Opens the Pre-Shared Key dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View issues. You must resolve all problems indicated in the messages shown.
Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Forwarding Gateways Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Endpoint A or Endpoint B

Select the endpoint IP addresses. You cannot use the same endpoint in a Route-based VPN tunnel and a Policy-based VPN tunnel.

If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address.

Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Logs by SD-WAN Endpoint — Opens the Logs view and shows log data related to the VPN endpoint.
IPsec Profile Right-clicking this type of cell opens these menu items:
  • Edit IPsec Profile — Opens the SD-WAN Profile Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Select Profile — Opens the Select Profile dialog box.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Tools
    • Export Elements — Exports the selected element.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Mode Determines how the tunnel is used in a Multi-Link VPN.
Right-clicking this type of cell opens these menu items:
  • Edit Mode — Opens the Link Mode Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Standby — The link is used only when all Active or Aggregate mode links are unusable.
  • Active — The link is always used.

    If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the links’ load. VPN traffic is directed to the link that has the lowest load.

  • Aggregate — The link is always used and each VPN connection is load-balanced in round robin fashion between all the links that are in the Aggregate mode.

    For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links.

  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity Verifies if the tunnel is valid.
Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Option Definition
Panes in the Policy-Based SD-WAN editing view
Info pane Shows information about the selected element.
Issues pane Shows issues in the VPN configuration, such as incompatible settings.
Link Summary pane Shows a summary of the policy-based VPN configuration.