Use a policy-based VPN to encrypt tunnels in route-based VPNs

You can use a policy-based VPN to provide encryption for Route-based Tunnels.

Before you begin

Define the policy-based VPN that provides the encryption.

Using a policy-based VPN to encrypt tunnels in a Route-based Tunnels allows you to do the following:

  • Encrypt multiple tunnels in the same VPN tunnel. This configuration improves compatibility with third-party devices and cloud-based services that do not support multiple, separately encrypted tunnels.
  • Create multiple tunnels between remote and local sites when only one public IP address is available.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create a Host element.
    1. Select Network Elements.
    2. Right-click Hosts, then select New Host.
    3. In the IPv4 Address or IPv6 Address field, enter the same IP address as the endpoint you use in the Route-based Tunnels.
      Note: You might receive a warning that the IP address of the Host element is not unique. Ignore the warning and save the element.
    4. Configure the other settings according to your needs.
    5. Click OK.
  2. Configure the VPN settings for the engine that acts as the VPN gateway.
    1. Select Engine Configuration.
    2. Right-click the Security Engine, then select Edit <element type>.
    3. Browse to VPN > Endpoints, then define at least two endpoints: one for the policy-based VPN and one for the Route-based Tunnels.
    4. Browse to Sites, then add the Host element to the site for the VPN Gateway.
    5. Click Save.
  3. Configure the policy-based VPN that provides the encryption.
    1. Select Secure SD-WAN Configuration.
    2. Browse to Policy-Based VPNs.
    3. Open the policy-based VPN for editing.
    4. On the Site-to-Site VPN tab, add the VPN Gateway that represents the engine to the Central Gateways or Satellite Gateways list.
    5. Click Save.
  4. Create the Route-Based Tunnel element.
    1. Select Secure SD-WAN Configuration.
    2. Browse to Route-Based Tunnels.
    3. Right-click Route-Based Tunnels, then select New Route-Based Tunnel.
    4. Use the following settings:
      Setting Configuration
      Tunnel type GRE, IP-IP, or SIT.
      Encryption Tunnel Mode.
      VPN Select the policy-based VPN that provides the encryption.
      Local engine Select the same VPN Gateway that is used in the policy-based VPN.
      CVI Select the CVI that has the same IP address as the endpoint that is used in the policy-based VPN.

      Configure the other settings according to your needs.

    5. Click OK.
  5. Add Access rules to allow traffic between the internal network and the networks that are reachable through the Route-based Tunnels.
    Note: The Access rules that direct the Route-based Tunnels traffic into the policy-based VPN are automatically generated for the Engines associated with the VPN Gateway elements. The rules are not visible in the Engine policy, and cannot be edited. If a policy that contains the automatically generated rules is installed on a Engine that is not involved in the VPN, the rules are ignored.
    1. Open the Engine policy for editing.
    2. Add IPv4 Access rules or IPv6 Access rules that have the following settings:
      Source Destination Service Action
      Elements that represent the internal network Elements that represent the networks that are reachable through the Route-based Tunnels. Select a service, or set to ANY. Allow
      Configure the other settings for the rules according to your needs.
    3. Click Save.
    4. Install the policy on all Engines that are involved in the VPNs.