Configuring VPN Sites

In the VPN > Site to Site > VPN Sites page you can configure remote VPN sites. All configured VPN sites appear in the table.

For more on how to configure site to site VPN, go to VPN > Site to Site > Blade Control.

When you add a new VPN site, these are the tabs where you configure these details:

  • Remote Site - Name, connection type, authentication method (preshared secret or certificate), and the Remote Site Encryption Domain.

  • Encryption - Change the default settings for encryption and authentication details.

  • Advanced - Enable permanent tunnels, disable NAT for this site, configure encryption method, and additional certificate matching.

To add a new VPN site:

  1. Click New.

    The New VPN Site window opens in the Remote Site tab.

  2. Enter the Site name.

  3. Select the Connection type:

    • Host name or IP address - Enter the IP address or Host name.

      If you select IP address, and it is necessary to configure a static NAT IP address, select Behind static NAT and enter the IP address.

      Note - Behind static NAT applies to IPv4 addresses only.

    • High Availability or Load Sharing - When you select this option, you must configure a probing method on the Advanced tab. The probing method monitors which IP addresses to use for VPN: ongoing or one at a time.

      Load Sharing mode - Configure a list of backup IP addresses to distribute data.

      High Availability mode:

      • Configure a list of backup IP addresses in case of failure.

      • Primary IP address - Configure one of the existing IP addresses as the primary, or add an IP address and set it as the primary.

      The status of VPN sites whose hosts or IP addresses are in High Availability or Load Sharing mode are displayed in the Responsiveness column in the table. For example, 0 of 2 is responsive.

    • Only remote site initiates VPN - Connections can only be initiated from the remote site to this appliance. For example, when the remote site is hidden behind a NAT device. In this scenario, this appliance only responds to the tunnel initiation requests. This requires a secure method of remote site authentication and identification.

  4. Select an authentication method. This must match the authentication you used to configure this appliance as the other gateway's remote site.

    • Preshared secret - If you select this option, enter the same password as configured in the remote gateway and confirm it.

      Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

    • Certificate - The gateway uses its own certificate to authenticate itself. For more information, see VPN > Internal Certificate.

  5. Exclude networks - Select this option to exclude networks from the specified encryption domain. This may be useful if two gateways are in the same community and protect the same parts of the network.

  6. Click Apply

On the Encryption tab you can change the default settings.

There are built in encryption settings' groups that only need to match in this configuration and in the remote site.

  • Default (most compatible)

  • VPN A - According to RFC 4308.

  • VPN B - According to RFC 4308.

  • Suite-B GCM-128 or Suite-B-GCM-256 - According to RFC 6379.

  • Custom - Select this option to decide (manually) which encryption method is used (optional).

In the Advanced tab:

Note - When you finish the new VPN site configuration, click Save.

  • Settings

Notes:

  • For more information on installing the certificate, see Managing Installed Certificates.

  • The initiator's gateway ID must be set in the responder gateway as the peer ID.

  • The Remote Access blade must be enabled for peer ID to work.

  • On the gateway that is not behind NAT, for Connection type, select Only remote site initiates VPN.

  • When you configure the remote site, do not select behind static NAT.

An initial tunnel test begins with the remote site. If you have not yet configured it, click Skip. The VPN site is added to the table.

Locally managed gateways can be part of these site to site communities:

  • VPN mesh community – All gateways are connected to each other, and each gateway handles its own internet traffic. Encrypted traffic is passed from networks in the encryption domain of one gateway to the networks in the encryption domain of the second gateway.

  • VPN star community – One gateway is the center and routes all traffic (encrypted and internet traffic of the remote peer) to the internet and back to the remote peer. The peer gateway is a satellite and is configured to route all its traffic through the center.

You can configure more than one satellite gateway to route all traffic through the center gateway.

If you try to configure two gateways to be the center, an error message shows.

If you do not configure one gateway as a center, the site to site VPN acts like a mesh community and each gateway continues to handle its own traffic.