VPN configuration workflow
VPN configuration requires several high-level steps.
This workflow contains steps for all kinds of VPN configurations. Alternative next steps are included as necessary to achieve a particular type of configuration.
- (Optional) If you are configuring a VPN with an external device, you might want to create a custom Gateway Profile specific to the device.
- (External VPN gateways only) Add the necessary number of External VPN Gateway elements to represent the VPN devices. External VPN Gateway elements define the VPN endpoints (gateway IP
addresses) and the sites (see the next point). Note: One VPN Gateway elements is automatically created for each Engine that is managed by the Management Server and administrative Domain that you are currently connected to with your Management Client.
- (Policy-based VPNs only) Configure the sites. Sites define the IP addresses that can be made routable through VPNs. The sites can be adjusted in different VPNs that the gateway establishes.
- (Optional) If the existing VPN Profiles do not have suitable settings for your new VPN, create a custom VPN Profile element. The custom VPN Profile element defines the IPsec settings (authentication, encryption, and integrity checking).
- Define the VPN in one of the following ways:
- Create a Policy-Based VPN element. The Policy-Based VPN element defines the topology (which gateways create tunnels with each other).
- Create Route-Based VPN Tunnel elements to define endpoints for tunnels in route-based VPNs.
- Create certificates, if necessary.
- Add the necessary Access rules according to the type of VPN:
- (Policy-based VPNs) Add the Access rules that allow traffic and select the policy-based VPN to be used. If necessary, the NAT rules for VPN traffic. Adding rules for policy-based VPNs also activates the VPN on the engines.
- (Route-based VPN) Add Access rules to allow traffic between the internal network and the networks that are reachable through the route-based VPN tunnels.