VPN Communities

What can I do here?

Use this window to select the gateways of the Star or Meshed VPN community.

Note - For Global VPN Communities, see: VPN and Multi-Domain Security Management

Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities > New Star/Meshed Community > Gateways

Configuring a Meshed Community Between Internally Managed Gateways

To configure an internally managed VPN meshed community:

Install and configure the Security Gateways as described in the R80.10 Installation & Upgrade Guide.
In SmartConsole, double click on the Security Gateway object.
In the General Properties page:
1. Enter the gateway Name.
2. Enter the IPv4 Address and IPv6 Address.
3. In the Network Security tab, Select IPsec VPN.
4. Click Communication and establish trusted communication with the Gateway.
In the Network Management page, click Get Interfaces.
1. After the interfaces show in the table, click Edit to open the Interface window.
2. In the Interface window, define the general properties of the interface and the topology of the network behind it.
In the Network Management > VPN Domain page, define the VPN domain one of:
- All IP Addresses behind the Gateway based on Topology information
- Manually defined as an address range, a network, or a group that can be a combination of address ranges, networks, and even other groups.
  (There are instances where the VPN domain is a group which contains only the Security Gateway itself, for example where the Security Gateway is acting as a backup to a primary Security Gateway in an MEP environment.)
The network Security Gateway objects are now configured, and need to be added to a VPN community.

Note - There is nothing to configure on the IPsec VPN page, regarding certificates, because internally managed Security Gateways automatically receive a certificate from the internal CA.
Open the Object Explorer (Ctrl+E), and select VPN Communities.
1. Click New > VPN Communities > Meshed Community.
  The New Meshed Community window opens.
2. In the Encrypted Traffic page, select Accept all encrypted traffic if you need all traffic between the Security Gateways to be encrypted. If not, then create appropriate rules in the Security Policy Rule Base that allows encrypted traffic between community members (step 7).
3. On the Gateways page, add the Security Gateways created in step 1.
A VPN tunnel is now configured.

For information on other options, such as Encryption, Shared Secret, and Advanced, see: IPsec & IKE
If you did not select Accept all encrypted traffic in the Encrypted Traffic page of the Community, build an access control policy, for example:

Source

Destination

VPN

Service

Action

Any

Any

Meshed community

Any

Accept

Source	Destination	VPN	Service	Action
Any	Any	Meshed community	Any	Accept

Where "Meshed community" is the VPN community you have just defined.

Configuring a Star Community Between Internally Managed Gateways

A star VPN community is configured in much the same way as a meshed community, the difference being the options on the Star Community window:

On the VPN Routing page - Select To center only.
On the Gateways page:
- Central Gateways - Add the central Security Gateways.
- Central Gateways - Select Mesh central Security Gateways if you want the central Security Gateways to communicate.
- Satellite Gateways - Add the satellite Security Gateways.

A VPN Domain is a collection of internal networks that use Security Gateways to send and receive VPN traffic. Define the resources that are included in the VPN Domain for each Security Gateway. Then join the Security Gateways into a VPN community - collection of VPN tunnels and their attributes. Network resources of different VPN Domains can securely communicate with each other through VPN tunnels that terminate at the Security Gateways in the VPN communities.

VPN communities are based on Star and Mesh topologies. In a Mesh community, there are VPN tunnels between each pair of Security Gateway. In a Star community, each satellite Security Gateway has a VPN tunnel to the central Security Gateway, but not to other Security Gateways in the community.

Note - Global VPN Communities are not supported in this release.

VPN_Communities_1

Mesh Topology

VPN_Communities_2

Star Topology

Item	Description
1	Security Gateway
2	Satellite Security Gateways
3	Central Security Gateway

Sample Combination VPN Community

Sample_Combination_VPN_Community

Item	Description
1	London Security Gateway
2	New York Security Gateway
3	London - New York Mesh community
4	London company partner (external network)
5	London Star community
6	New York company partner (external network)
7	New York Star community

This deployment is composed of a Mesh community for London and New York Security Gateways that share internal networks. The Security Gateways for external networks of company partners do not have access to the London and New York internal networks. However, the Star VPN communities let the company partners access the internal networks of the sites that they work with.