Define a custom Gateway Profile element
The Gateway Profile element introduces information about the features and options available so that the VPN configuration can be automatically validated.
The general settings directly affect the settings used in VPNs. The authentication and encryption settings defined in the Gateway Profile do not directly influence which of the displayed settings are used for any VPNs. The settings in the Gateway Profile help you make sure that the settings defined for the VPNs correspond to the options supported by the gateway devices involved.
- You can use the Default (all capabilities) profile, which allows any of the options to be selected for the External VPN Gateway.
- You can define a custom Gateway Profile to restrict the options to a supported set to prevent configuration errors.
For the Forcepoint VPN Client, there are predefined Gateway Profiles.
The IKE Capabilities and IPsec Capabilities are not directly used in a VPN. The settings are selected for use in the VPN Profile element. The settings define a set of options that the gateway supports, so that the Secure SD-WAN Manager can automatically check for misconfigured settings.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Select Configuration, then browse to SD-WAN.
- Browse to .
- Right-click Gateway Profiles, then select New Gateway Profile.
- Configure the settings.
- Click OK.
Gateway Profile Properties dialog box
Use this dialog box to define the properties of a VPN Gateway Profile element.
Option | Definition |
---|---|
General tab | |
Name | The name of the element. |
Comment (Optional) |
A comment for your own reference. |
Tunnel-to-Tunnel Forwarding Capabilities | |
Relay Site-to-Site Traffic | When selected, specifies that the gateways using the profile can forward site-to-site VPN traffic to other site-to-site VPNs. This option reduces the number of tunnels created by default for VPNs involving this Gateway when you define forwarding from one VPN to another in the VPN element. |
Relay Mobile VPN Traffic | This option is shown only because the setting is used in the default profiles for different versions of the Firewall/VPN. This setting is not relevant to custom configurations. |
IKE Settings | Shows the selections from the IKE Capabilities tab. |
IPsec Settings | Shows the selections from the IPsec Capabilities tab. |
IKE Capabilities tab | |
Versions | Select the IKE version. Note: If both versions are selected, IKEv2 is tried first in the
negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
|
Cipher Algorithms | The VPN encryption method. We recommend that you limit the selection to as few choices as
possible, preferably only one. If you make multiple choices, multiple proposals are sent in IKE negotiations.
|
Message Digest Algorithms | Used for integrity checking and key derivation. We recommend that you select just one of these
options if you have no specific reason to select more.
|
Diffie-Hellman Group | Select one or more groups for key exchange. We recommend that you select from groups 14-21 according to the security requirements for
the VPN.
Note: Groups 1, 2, and 5 are not considered sufficiently secure in all cases, although they might be required for interoperability
with legacy systems.
|
Authentication Method | The method that gateways in the VPN use to authenticate to each other.
|
IKEv1 Negotiation Mode (Only if IKEv1 is selected as the Version) | The negotiation mode for IKEv1 key exchange.
|
Option | Definition |
---|---|
IPsec Capabilities tab | |
IPsec Type | Select one or more options to define integrity checking and data origin authentication for IP
datagrams.
|
Cipher Algorithms | The VPN encryption method. We recommend that you limit the selection to as few choices as possible,
preferably only one.
|
Message Digest Algorithms | Used for integrity checking, except when authenticated encryption such as AES-GCM is used.
|
Compression Algorithm | Options for compressing the data in the VPN to reduce the bandwidth use on congested links.
|
Security Association Granularity | Defines the level at which security associations (SA) are created.
|
PFS Diffie-Hellman Group | Select one or more Diffie-Hellman groups for perfect forward secrecy (PFS) key negotiations. We
recommend that you select from groups 14-21 according to the security requirements for the VPN. Note: Groups 1, 2, and
5 are not considered sufficiently secure in all cases, although they might be required for interoperability with legacy systems.
|