Considerations for creating new policy-based VPNs
There are some things to consider when you create a new policy-based VPN.
- Check whether you can use an existing policy-based VPN instead. Most settings can be set individually for each site-to-site tunnel even within a single policy-based VPN. The VPN Profile, pre-shared key, and Multi-Link settings can all be selected separately for each VPN tunnel. Site definitions are the only major exception to this rule.
- There must not be duplicate tunnels (two tunnels between the same two endpoints) in the configuration of any Firewall. Duplicate tunnels cause a policy installation failure. The easiest way to avoid duplicate tunnels is to define all VPNs between your Firewalls in the same policy-based VPN.
- If you are creating VPNs with partner organizations, you might only want to include a subset of the internal IP address space in the Site definitions. Limiting the IP address space allows you to avoid revealing all internal addresses to your partner. Any cases where Site definitions must be different for different VPN tunnels requires creating separate policy-based VPNs.
- IPsec tunnel between two Virtual NGFW Engines running on same Master NGFW Engine cluster is not supported. This limitation also applies to Master Engine clusters with only one node. However, to allow communication between two Virtual Engines, the inter-engine traffic must either be routed through an external router or by using a Shared Interface.