Configure VPN

Configure VPN connections with the New Connection wizard
The New Connection wizard allows you to create a virtual private network (VPN) between any combination of hosts and gateways.
Configure VPN security policies
After you determine how you will use your VPN you must define your VPN security policies.
Configure the VPN secure connection
After you have configured the security policies for your connection, you must then configure the secure connection.
Configure a manual connection
Just as the name suggests, a manual connection is one where you must configure all of your VPN properties by hand.
Configure VPN packet rules
If you are creating a connection for the first time, allow VPN to automatically generate the VPN packet rules for you. You can do this by either using the New Connection wizard or the VPN properties pages to configure your connection.
Configure Traffic Flow Confidentiality (TFC)
If your data policy is configured for Tunnel mode you can use Traffic Flow Confidentiality (TFC) to conceal the actual length of the data packets transferred over a VPN connection.
Configure Extended Sequence Number (ESN)
You can use Extended Sequence Number (ESN) to increase the data transfer rate for a VPN connection.
Start a VPN connection
Complete this task to start connections you will initiate locally.

Parent topic: Virtual Private Networking (VPN)

Related concepts

What type of connection should I configure?

A dynamic connection is one that dynamically generates and negotiates the keys that secure your connection, while it is active, by using the Internet Key Exchange (IKE) protocol. Dynamic connections provide an extra level of security for the data that flows across it because the keys change, automatically, at regular intervals. Consequently, an attacker is less likely to capture a key, have time to break it, and use it to divert or capture the traffic the key protects.

A manual connection, however, does not provide support for IKE negotiations, and consequently, automatic key management. Further, both ends of the connection require you to configure several attributes that must match exactly. Manual connections use static keys that do not refresh or change while the connection is active. You must stop a manual connection to change its associated key. If you consider this a security risk, you may want to create a dynamic connection instead.

How do I configure a dynamic VPN connection?

VPN is actually a group of configuration objects that define the characteristics of a connection. A dynamic VPN connection requires each of these objects to work properly. Follow the links below for specific information about how to configure each of the VPN configuration objects:

Tip: Configure connections with the New Connection wizard

In general, you can use the Connection wizard to create all of your dynamic connections. The wizard automatically creates each of the configuration objects VPN requires to work properly, including the packet rules. If you specify that you want the wizard to activate the VPN packet rules for you, you can skip to step six below, Start the connection. Otherwise, after the wizard finishes configuring your VPN, you must activate the packet rules and then you can start the connection.

If you choose not to use the wizard to configure your dynamic VPN connections, follow these steps to complete the configuration:

Configure VPN security policies
You must define VPN security policies for all of your dynamic connections. The Internet Key Exchange policy and data policy dictate how IKE protects its phase 1 and phase 2 negotiations.
Configure secure connections
Once you have defined the security policies for a connection, you must then configure the secure connection. For dynamic connections, the secure connection object includes a dynamic-key group and a dynamic-key connection. The dynamic-key group defines the common characteristics of one or more VPN connections, while the dynamic-key connection defines the characteristics of individual data connections between pairs of endpoints. The dynamic-key connection exists within the dynamic-key group.

Note: You only need to complete the next two steps, Configure packet rules and Define an interface for the rules, if you select The policy filter rule will be defined in Packet Rules option on the Dynamic-Key Group - Connections page in the VPN interface. Otherwise, these rules are created as part of your VPN configurations and are applied to the interface you specify.

It is recommended that you always allow the VPN interface to create your policy filter rules for you. Do this by selecting the Generate the following policy filter for this group option on the Dynamic-Key Group - Connections page.
Configure packet rules
After you complete your VPN configurations, you must create and apply filter rules that allow data traffic to flow through the connection. The VPN pre-IPSec rules permit all IKE traffic on the specified interfaces so that IKE can negotiate connections. The policy filter rule defines which addresses, protocols, and ports can use the associated new dynamic-key group.

If you are migrating from either V4R4 or V4R5 and have VPN connections and policy filters you want to continue using with the current release, review the topic, Migrate policy filters to the current release to ensure that your old policy filters and new policy filters will work together as you intend.
Define an interface for the rules
After you configure the packet rules and any other rules that you need to enable your VPN connection, you must define an interface to which to apply them.
Activate packet rules
After you define an interface for your packet rules, you must activate them before you can start the connection.
Start the connection
Complete this task to start your connections.

How do I configure a manual VPN connection?

Just as the name suggests, a manual connection is one where you must configure all of your VPN properties by hand, including inbound and outbound keys. Follow the links below for specific information about how to configure a manual connection:

Configure manual connections
Manual connections define the characteristics of a connection including what security protocols and the connection and data endpoints.

Note: You only need to complete the next two steps, Configure policy filter rule and Define an interface for the rules, if you select The policy filter rule will be defined in Packet Rules option on the Manual Connection - Connection page in the VPN interface. Otherwise, these rules are created as part of your VPN configurations.

It is recommended that you always allow the VPN interface to create your policy filter rules for you. Do this by selecting the Generate a policy filter that matches the data endpoints option on the Manual Connection - Connection page.
Configure policy filter rule
After you configure the attributes of the manual connection, you must create and apply a policy filter rule that allows data traffic to flow through the connection. The policy filter rule defines which addresses, protocols, and ports can use the associated connection.
Define an interface for the rules
After you configure the packet rules and any other rules that you need to enable your VPN connection, you must define an interface to which to apply them.
Activate packet rules
After you define an interface for your packet rules, you must activate them before you can start the connection.
Start the connection
Complete this task to start connections that are initiated locally.