Create Route-Based VPN Tunnel elements

Route-Based VPN Tunnel elements represent the endpoints of the tunnel.

Before you begin

Add tunnel interfaces for NGFW Engines.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Route-Based VPN Tunnels.
  3. Right-click Route-Based VPN Tunnels, then select New Route-Based VPN Tunnel.
  4. Configure the settings.
    Note: Specifying tunnel options for individual route-based VPN tunnels overrides the default settings defined for the tunnel interface on the NGFW Engine.
  5. Click OK.
  6. Click Save.
    Note: IPsec tunnel between two Virtual NGFW Engines running on same Master NGFW Engine cluster is not supported. To allow communication between two virtual engines, the inter-engine traffic must either be routed through an external router or by using a Shared Interface.

Route-Based VPN Tunnel Properties dialog box

Use this dialog box to define the properties of a Route-Based VPN Tunnel.

Option Definition
Name The name of the element.
Enabled When selected, the tunnel is enabled.
Tunnel Type Specifies the protocol used in the tunnel.
  • GRE — Generic Routing Encapsulation. This tunnel type is compatible with gateways from most vendors.
  • IP-IP — IP in IP. This tunnel type is for use with third-party gateways that only support IP-IP.
  • SIT — Simple Internet Transition. This tunnel type is for use with IPv6 addresses.
  • VPN — This tunnel type negotiates IPsec tunnels in the same way as policy-based VPNs, but traffic is sent into the tunnel based on routing.
    Note: For the VPN tunnel type, tunnels between all endpoints of both gateways are automatically created.
Encryption

(Not when Tunnel Type is VPN)

The encryption mode for the tunnel.
  • Transport Mode — The tunnel uses IPsec in transport mode.
  • Tunnel Mode — The tunnel uses IPsec in tunnel mode.
  • No Encryption — The tunnel is not encrypted.
    CAUTION:
    This option defines a tunnel in which traffic is not protected by a VPN. The No Encryption option is recommended only when you create tunnels entirely within protected networks or you are testing and troubleshooting routing and connectivity.
VPN Profile

(Optional)

(When Tunnel Type is VPN)

(When Encryption is Transport Mode)

The VPN Profile element that defines the settings for authentication, integrity checking, and encryption for the tunnel.
Note: Settings in the VPN Profile that do not apply to route-based VPN tunnels, such as IPsec Client settings, are ignored.
Examples of available profiles:
  • VPN-A Suite — The tunnel uses the VPN-A Suite VPN Profile element. The VPN-A Suite VPN Profile contains the VPN settings specified for the cryptographic suite “VPN-A” in RFC 4308.
  • iOS Suite — The tunnel uses the iOS Suite VPN Profile element. The iOS Suite VPN Profile element contains only iOS-compatible encryption algorithms and protocols.
Click Select to select an element. VPN-A Suite is selected by default.
Edit

(Optional)

(When Tunnel Type is VPN)

(When Encryption is Transport Mode)

Allows you to use pre-shared key authentication for the gateways involved in the tunnel.
Note: The pre-shared key must be long and random to provide a secure VPN. Change the pre-shared key periodically (for example, monthly). Make sure that it is not possible for outsiders to obtain the key while you transfer it to other devices.
VPN

(When Encryption is Tunnel Mode)

The policy-based VPN that provides the encryption for the tunnel. Click Select to select an element, or click New to create an element.
Option Definition
Local section
Gateway or Firewall The local gateway for the tunnel. Click Select to select an element.
Endpoint

(Not when Tunnel Type is VPN)

Allows you to select the endpoint IP addresses for the tunnel.

If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address.

Note: You cannot use the same endpoint pair in a route-based VPN tunnel and a policy-based VPN tunnel.
Interface The tunnel interface though which route-based VPN traffic is routed.
Option Definition
Remote section
Internal

(Not when Tunnel Type is VPN)

(Not when Encryption is Transport Mode)

When selected, specifies that the remote gateway is an NGFW Engine that is managed by the same Management Server to which you are currently connected.
External

(Not when Tunnel Type is VPN)

(Not when Encryption is Transport Mode)

When selected, specifies that the remote gateway is a third-party device or an NGFW Engine that is managed by a different Management Server.
IP Address

(External only)

The IP address of the remote gateway.
Gateway or Firewall

(Internal only)

The remote gateway in the tunnel. Click Select to select an element.
Endpoint

(Not when Tunnel Type is VPN)

Allows you to select the endpoint IP addresses for the tunnel.

If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address.

Note: You cannot use the same endpoint pair in a route-based VPN tunnel and a policy-based VPN tunnel.
Interface

(VPN Gateway elements only)

The tunnel interface though which route-based VPN traffic is routed.
Tunnels table

(When Tunnel Type is VPN)

  • Endpoint A or Endpoint B — Shows the endpoint IP addresses for the automatically created tunnels between all endpoints of both gateways.
  • IPsec Profile — The VPN Profile element that defines the settings for authentication, integrity checking, and encryption for the tunnel.
  • Mode — Shows the mode that defines how the endpoint is used in a Multi-Link configuration.
  • Validity — Shows whether the tunnel is valid.
Option Definition
Tunnel Options section
PMTU Discovery

(All tunnel types except VPN)

When selected, enables path MTU (PMTU) discovery. Select this option if you use dynamic routing and want to automatically determine the Maximum Transmission Unit (MTU) size on the network path to avoid IP fragmentation.
TTL

(Optional)

(All tunnel types except VPN)

Specifies the initial time-to-live (TTL) value that is inserted into the encapsulation header of packets that enter the tunnel. This setting is needed when dynamic routing is used. You can usually use the default value. The default TTL value is 64.
MTU

(Optional)

Specifies the maximum transmission unit (MTU) value that defines the largest unit of data that can be transmitted without fragmenting a packet. Set the MTU size as large as possible, but not so large that it causes packets to be fragmented. You can usually use the default value.
Tunnel Group

(When Tunnel Type is VPN)

(When Encryption is Transport Mode)

Select the Tunnel Group to put the tunnel in. You can monitor the status of grouped tunnels in the Home view. By default, new tunnels are included in the Uncategorized group, which is a system Tunnel Group element.
Use GRE Keepalive

(When Tunnel Type is GRE and Encryption is No Encryption)

When selected, the NGFW Engine sends keepalive packets at the specified interval to check that the GRE tunnel is still functioning. If no reply is received after the specified number of packets, the GRE tunnel is considered to be down.

  • Period — The interval (in seconds) at which keepalive packets are sent. The default is 10 seconds. A value of 0 means that the NGFW Engine only replies to keepalive packets from other devices, but does not send keepalive packets itself.
  • Retry — The number of packets after which the GRE tunnel is considered to be down if no reply is received. The default is 3 packets.
Note: To use GRE keepalive, the router to which the NGFW Engine is connected must support GRE keepalive.
Comment

(Optional)

A comment for your own reference.