You can define and configure a Non VMware SD-WAN Site instance as Forcepoint Cloud Security Gateway and establish a secure IPSec tunnel to the Forcepoint Cloud Security Gateway through a VMware SD-WAN Edge.

To configure a Non SD-WAN Destination via Edge:

Prerequisites

Ensure that you have Administrator privileges to login to VMware SD-WAN Orchestrator.

Procedure

  1. Login to SD-WAN Orchestrator and navigate to Manage Customers.
  2. Click the link to a customer whose traffic would be routed to Forcepoint Cloud Security Gateway.
  3. In the Enterprise portal, click Configure > Network Services.
  4. In the Non SD-WAN Destinations via Edge pane, click New to create a new Non SD-WAN Destination.
  5. In the New Non SD-WAN Destination via Edge window, configure the following:
    Option Description
    Service Name Enter a descriptive name for the Non SD-WAN Destination.
    Service Type Select the type as Generic IKEv2 Router (Route Based VPN).
    Click Next.
  6. In the next window, configure the following settings:
    Click Advanced to configure the other IPsec tunnel parameters for the Primary and Secondary VPN Gateways as follows:
    Option Description
    Encryption Select AES-256 as the AES algorithms key from the drop-down list, to encrypt data.
    DH Group Select the Diffie-Hellman (DH) Group algorithm as 14, which would be used when exchanging the pre-shared key. The DH Group sets the strength of the algorithm in bits.
    PFS Select the Perfect Forward Secrecy (PFS) level as disabled.
    Hash Select the authentication algorithm for the VPN header as SHA 256 from the drop-down list.
    IKE SA Lifetime(min) Enter the IKE SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 10 to 1440 minutes. The default value is 1440 minutes.
    IPsec SA Lifetime(min) Enter the IPsec SA lifetime in minutes. The rekeying should be initiated for Edges before the time expires. The range is from 3 to 480 minutes. The default value is 480 minutes.
    DPD Timeout Timer(sec) Enter the maximum time that the device should wait to receive a response to a DPD message before considering the peer as dead. The default value is 20 seconds. You can disable the DPD by configuring the DPD timeout timer as Zero (0).
    For the Secondary VPN Gateway, select the Tunnel settings are same as Primary VPN checkbox to configure the tunnel settings similar to the Primary VPN Gateway. The Edge will be setup with 2 tunnels.
    Choose the default values for other settings.
    Click Save Changes and close the window.

Results

The new Non SD-WAN Destination via Edge is displayed in the Network Services window:

What to do next

Configure Profile to use the new Non SD-WAN Destination via Edge. See Configure Profile with Non SD-WAN Destination via Edge.