Create External VPN Gateway elements

In the Management Client, create two External VPN Gateway elements to represent the cloud end of each connection.

The connections are used in an active-active configuration.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to VPN Gateways.
  3. Create an External VPN Gateway element to represent the cloud end of the first VPN tunnel.
    1. Select New > External VPN Gateway.


    2. In the Name field, enter a descriptive name.
      Example: Private Access Tunnel 1
      Note: Do not close the External VPN Gateway Properties dialog box.
  4. Configure endpoints for the first external VPN gateway.
    1. On the Endpoints tab, click Add.


    2. Configure the following settings:
      • Name — (Optional) Enter a descriptive name, such as the same name that you provided for this connection in the Private Access management portal.
      • IP Address — Enter the value of the Tunnel destination IP address for the first tunnel from the Private Access management portal.
      • Connection Type — Select Active.
      • NAT-T — Select Enabled.
      • Phase-1 ID — From the ID Type drop-down list, select DNS Name. In the ID Value field, enter the value of the Forcepoint IKE ID from the Private Access management portal.
    3. Click OK.
    4. In the Enabled column, select the checkbox for the endpoint.
      Note: Do not close the External VPN Gateway Properties dialog box.
  5. Configure a site for the first external VPN gateway.
    1. On the Sites tab, browse to Hosts in the left pane.
    2. Select the Host element that represents the NAT IP address of the first tunnel, then click Add.
    3. Click OK.
    The configuration of the first external VPN gateway is complete.
  6. Create an External VPN Gateway element to represent the cloud end of the second VPN tunnel.
    1. Select New > External VPN Gateway.
    2. In the Name field, enter a descriptive name.
      Example: Private Access Tunnel 2
      Note: Do not close the External VPN Gateway Properties dialog box.
  7. Configure endpoints for the second external VPN gateway.
    1. On the Endpoints tab, click Add.
    2. Configure the following settings:
      • Name — (Optional) Enter a descriptive name, such as the same name that you provided for this connection in the Private Access management portal.
      • IP Address — Enter the value of the Tunnel destination IP address for the second tunnel from the Private Access management portal.
      • Connection Type — Select Active.
      • NAT-T — Select Enabled.
      • Phase-1 ID — From the ID Type drop-down list, select DNS Name. In the ID Value field, enter the value of the Forcepoint IKE ID from the Private Access management portal.
    3. Click OK.
    4. In the Enabled column, select the checkbox for the endpoint.
      Note: Do not close the External VPN Gateway Properties dialog box.
  8. Configure a site for the second external VPN gateway.
    1. On the Sites tab, browse to Hosts in the left pane.
    2. Select the Host element that represents the NAT IP address of the second tunnel, then click Add.
    3. Click OK.
    The configuration of the second external VPN gateway is complete.

Next steps

Configure the endpoint and sites for the NGFW Engine in the Management Client.

External VPN Gateway Properties dialog box

Use this dialog box to define the properties of an External VPN Gateway element.

Option Definition
General tab
Name Specifies the unique name of the element.
Gateway Profile Shows the selected gateway profile.
Select Opens the Select Element dialog box.
Category Shows the assigned category.
Select Opens the Category Selection dialog box.
Comment An optional comment for your own reference.
Option Definition
Endpoints tab
Search Opens a search field. Enter a search parameter to locate an endpoint. Clicking X removes the search field.
New External Endpoint — Adds an external endpoint IP address. Opens the External Endpoint Properties dialog box.
Tools
  • Expand All — Expands all elements.
  • Collapse All — Collapses all elements.
  • Refresh View — Updates the element list.
  • Remove — Removes the selected row from the table.
Add Opens the External Endpoint Properties dialog box.
Edit Opens the External Endpoint Properties dialog box for the selected endpoint.
Remove Removes the selected endpoint from the list.
Option Definition
Sites tab
Search Opens a search field for the selected element list.
Up (Backspace) Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Add Adds the selected element to the content list.
Remove Removes the selected element from the content list.
Content Shows the selected elements.
Option Definition
Trusted CAs tab
Trust All The gateway accepts any valid CA that is configured, unless restricted in the VPN element.
Trust only selected Only selected CAs are accepted. Select the CAs that the Gateway must trust.

External Endpoint Properties dialog box

Use this dialog box to define the properties of an External Endpoint in an IPsec VPN.

Option Definition
Name The name of the endpoint. If no name is entered, the IP address is used.
IP Address If the endpoint has a static (manually defined) IP address, enter the IP address. This IP address must be the IP address that is configured for the external device in its configuration.
Dynamic If the endpoint has a dynamic (DHCP-assigned) IP address, select this option.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
NAT-T

Detects when an IPsec VPN tunnel goes through a NAT device. If NAT is detected, the VPN automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.

  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Use UDP encapsulation This option is included for backward compatibility with legacy NGFW software versions.
Contact Addresses
Default Used by default whenever a component that belongs to another Location connects to this endpoint.
Dynamic Select when the endpoint has a dynamic Default contact address.
Phase-1 ID
ID Type Identifies the gateway during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. You can only add one DN value for each External VPN Gateway.
  • IP Address — An IP address identifies the gateway. If the endpoint has a static IP address, the value is filled in automatically. If the endpoint has a dynamic IP address, you must manually enter an IP address.
ID Value Specifies the details of the ID Type.

External VPN Gateway Properties dialog box

Use this dialog box to define the properties of an External VPN Gateway element.

Option Definition
General tab
Name Specifies the unique name of the element.
Gateway Profile Shows the selected gateway profile.
Select Opens the Select Element dialog box.
Category Shows the assigned category.
Select Opens the Category Selection dialog box.
Comment An optional comment for your own reference.
Option Definition
Endpoints tab
Search Opens a search field. Enter a search parameter to locate an endpoint. Clicking X removes the search field.
New External Endpoint — Adds an external endpoint IP address. Opens the External Endpoint Properties dialog box.
Tools
  • Expand All — Expands all elements.
  • Collapse All — Collapses all elements.
  • Refresh View — Updates the element list.
  • Remove — Removes the selected row from the table.
Add Opens the External Endpoint Properties dialog box.
Edit Opens the External Endpoint Properties dialog box for the selected endpoint.
Remove Removes the selected endpoint from the list.
Option Definition
Sites tab
Search Opens a search field for the selected element list.
Up (Backspace) Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Add Adds the selected element to the content list.
Remove Removes the selected element from the content list.
Content Shows the selected elements.
Option Definition
Trusted CAs tab
Trust All The gateway accepts any valid CA that is configured, unless restricted in the VPN element.
Trust only selected Only selected CAs are accepted. Select the CAs that the Gateway must trust.