Managing VPN Communities

The SMP lets you define a group of gateways as a VPN community. A VPN community is a group made up of several gateways that share the same VPN security settings. When you add a gateway to a VPN community, the gateway automatically inherits the appropriate properties, and can establish secure sessions with other members of the VPN community. The VPN community's type determines with which members the gateway can communicate. A gateway can be a member of multiple communities.

You can also configure a VPN community with gateways that are not managed by the SMP.

VPN Community Types

These are the VPN communities you can use:

  • Fully Meshed

    In a fully meshed community, all the gateways in the VPN community can communicate directly with each other and fully access the networks behind the gateways, without an intermediary or “center” gateway. A fully meshed topology allows the highest performance, lowest transmission delay, and the best fault tolerance possible.

  • Star

    A star community has two types of members:

    • The center ("hub") gateway can communicate with each satellite gateway.

      Note - It is not supported to configure Quantum Spark Appliances with Gaia Embedded OS as a Center Gateway in a Star VPN community.

    • Satellite ("spoke") gateways can be configured to communicate with each other through the center gateway.

  • Nested

    You can nest communities to create advanced VPN topologies. For example, you can create a meshed community whose members are star communities, a star community whose members are meshed communities, and so on.

Assigning a Center Gateway

In a star VPN configuration, the center gateway lets the satellite Security Gateways connect to the internal network of the central Security Gateway.

To show the VPN settings window for the community:

  1. Go to Home > Communities.

  2. Click the community name.

    The Edit page opens.

  3. Click VPN Settings.

To assign the center gateway for a Star VPN community:

  1. In the VPN Settings window of the community, click Topology > Choose.

    The Add Gateway wizard opens.

  2. In the Select Method window, select an option to locate the center gateway.

    • Name

    • MAC Address

    • Search for gateways

  3. Click Next.

To search for the gateway:

  1. Enter the search values.

  2. Click Next.

  3. Select the gateway.

  4. Click Next.

  5. Click Done.

    The Done window shows that the gateway is the center of the Star community.

Understanding Nested Communities

When two gateways communicate with each other, they use the encryption and authentication type (and all other Phase1/Phase2 parameters, such as PFS and DH group), of the innermost common community. In the diagram below, communities Y and Z are nested in community X. Gateways A and B are members of both communities X and Z. VPN tunnels between these gateways use the parameters of community Z instead of X, because Z is the innermost common community. VPN tunnels between gateways A and C use the parameters of community X, as X is the innermost common community of A and C.

Item

Description

1

VPN community X

2

VPN community Y

3

VPN community Z

4

Gateway D

5

Gateway C

6

Gateways A and B

VPN routing in nested communities is performed based on the nested community's type, fully meshed or star. In a nested fully meshed community, the gateways communicate directly with each other and with gateways in their parent community. In the example above, if community Y is fully meshed, then gateway C can communicate directly with other gateways in the community, as well as with gateway D, which is a member of the parent community, X.