About Auto VPN
Focus
Focus
Next-Generation Firewall

About Auto VPN

Table of Contents

About Auto VPN

Learn more about Auto VPN on Strata Cloud Manager.
Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
Where Can I Use This?What Do I Need?
One of these:
Auto VPN enables you to create a VPN cluster to connect multiple local area networks (LANs). When you create a VPN cluster, you must specify which firewall acts as the gateway device that facilitates communication between the branch firewalls and automatically creates secure connections between the gateway and branch devices.
Auto VPN supports hub-and-spoke topology only. Auto VPN does not support mesh topology between gateway devices.
After you create the VPN cluster, the firewalls automatically set up a route-based VPN tunnels and makes routing decisions based on the Layer 3 Ethernet interface IP addresses. If traffic is routed to a specific destination through a VPN tunnel, then it is handled as VPN traffic. These tunnels are created only between the gateway device and the branch devices. Tunnels are not created between any branch devices.
The VPN is secured using Internet Protocol Security (IPSec); a set of protocols used to set up a secure tunnel for VPN traffic. The information in the TCP/IP packet is secured. The IP packet (header and payload) is embedded in another Internet Protocol payload, and a new header is applied and then sent through the IPSec tunnel. The source IP address in the new header is that of the local VPN peer and the destination IP address is that of the VPN peer on the far end of the tunnel. When the packet reaches the remote VPN peer (the firewall at the far end of the tunnel), the outer header is removed and the original packet is sent to its destination.
To set up the VPN tunnel, the branch devices need to be authenticated. After successful authentication, the branch devices negotiate the encryption mechanism and algorithms to secure the communication. The Internet Key Exchange (IKE) process is used to authenticate the VPN branch devices and IPSec security associations (SAs) are defined at each end of the tunnel to secure the VPN communication. IKE uses pre-shared keys to set up the SAs for the IPSec tunnel. The SAs specify all of the required parameters for secure transmission— including the security parameter index (SPI), security protocol, cryptographic keys, and the destination IP address—encryption, data authentication, data integrity, and endpoint authentication. IPv4