Defining the contact IP address of firewalls for VPN topologies
Peers can contact a firewall in a VPN topology via a fixed IP address. There are two options in this case:
- the firewall is contacted by default on the IP address that was detected the last time the firewall logged on to the SMC server.
- however, you can define a customized contact address.
It is also possible to indicate that a firewall has a dynamic IP address and therefore cannot be contacted by its peers – it will always initiate the negotiation of the VPN tunnel. Such tunnels therefore cannot be set up between two peers with dynamic IP addresses.
For any given firewall, you can choose the address at which it will be contacted in most VPN topologies. You can define this default contact address in the firewall's parameters. If you need to define a different address in certain topologies, you can replace the default address directly in these topologies.
Defining a firewall's default contact address
- Go to Monitoring > Firewalls, and double click on the firewall.
- Go to the System > IPsec VPN tab, in Default contact address.
The parameter chosen here can be replaced with a different contact address in other topologies, as shown in the following section.
Defining a firewall's contact address in a specific VPN topology
- In Configuration > VPN topologies, go to step 4 Peers and endpoints configuration when creating or modifying a topology.
- Double-click in the Contact address column.
- In the IP address field, select an object or Any to indicate that the IP address is dynamic.