Selecting the output interface of firewalls for VPN topologies
You can select the firewall output interface used as the source in a VPN tunnel. Two steps are required to do this:
- In the Network Objects menu, create a Firewall_xx Host object that corresponds to an interface configured in the Configuration > Network > Interfaces menu on the firewall. This object will not be deployed on the firewall. The firewall will use the indicated values in its own Firewall_xx object.
On SN firewalls, the same parameter is found under Configuration > VPN > IPSec VPN > Peers > Advanced properties > Local Address.
For any firewall, you can choose the output interface that it will use in most VPN topologies. You can define this default output interface in the firewall's parameters. If you need to define a different interface in certain topologies, you can replace the default interface directly in these topologies.
- Go to Monitoring > Firewalls, and double click on the firewall.
- In the IPSec VPN tab, select the desired value for the local address in Default output interface. The default value is Any.
The parameter chosen here can be replaced with a different interface in other topologies, as shown in the following section.
- In Configuration > VPN topologies, go to step 4 Peers and endpoints configuration when creating or modifying a topology.
- Double-click in the Output interface column.
- In the VPN local address field, select an interface.
- Connect directly to the firewall by clicking on the icon from the firewall monitoring view in SMC.
- In the Network > Routing menu, create a new static route for each of the VPN tunnel’s peers with the following parameters:
- destination: peer’s IP address
- interface: interface dedicated to VPN communications (the same interface as that selected during the procedure above)
- gateway: the interface’s dedicated gateway for VPN communications
For more information on configuring static routes, refer to the User Configuration Manual Stormshield Network.