Configuring VPNs with external gateway devices
An External VPN Gateway is any VPN gateway that is not controlled by the same Management Server (and the same administrative Domain) on which you are configuring the gateway element.
Often, external gateway devices are at a partner organization, not under your control, and not Engine devices. Because IPsec is a networking standard, you can create a VPN between gateways of different brands by selecting the settings you want identically for both gateways. Any option that both gateways support is a valid option for the VPN.
- The IKE SA settings.
- The IPsec SA settings.
- The site definitions (IP addresses) defined for both gateways at both ends (possibly translated using NAT).
- The endpoint identity type and value. The endpoint identity value is often the IP address of each gateway, but other options are also possible.
When the listed settings are identical, the VPN works. However, there are some things that you must consider when you configure VPNs with external gateway devices:
- Every setting must match to produce a fully functional VPN, but the supported options might be partly different on the different gateways.
- Because there is not a single common standard for naming the different options, the two gateways might use a different name for the same authentication or encryption method.
- If Engine devices are used as External VPN Gateways, you can export and import some settings between the two Management Servers (or between administrative Domains). However, you must still contruct many of the configurations manually.
- The IP addresses accessible through each gateway must match.
In VPN Gateways controlled by the Management Server on which the VPN is configured, the IP addresses included in the policy-based VPN are defined as separate Site elements. The security association (SA) granularity setting defines whether a new VPN tunnel is established for each communicating host or for each network. In most gateways, there is an option for the SA setting. However, some gateways might select the SA automatically based on the type of IP address definition or even have a fixed setting.
Note: Site definitions are always defined for the VPN Gateway or External VPN Gateway element and are used in all policy-based VPNs where the same gateway is used. If you add a site to a gateway in one policy-based VPN, disable it in other policy-based VPNs where you do not want the site to be included.Note: In route-based VPNs, the site information is ignored. In route-based VPN the site definition is always 0.0.0.0/0 for IPv4 and ::/0 for IPv6 (any network).