You need to create a "VPN Gateway" for each Screen involved in the VPN to define the systems that are taking part in a particular VPN. You create these Gateway definitions are using the VPN tab in the Policy Rules area of the Policy Rules page.
Each VPN Gateway definition associates a particular certificate with a set of hosts that are "protected" by that gateway. The protected hosts will have their traffic encrypted/decrypted by that certificate. In addition, the defined gateways are associated with each other by giving them each the same VPN name.
To Add a VPN Gateway definition, perform the following steps:
Click the VPN tab in the Policy Rules area of the Policy Rules page.
Click the Add New... button in the VPN area.
The VPN Definition dialog window appears.
In the Name field, type the name of the VPN to which the gateway belongs.
Type the same name for each gateway included in the VPN.
Click the down arrow in the Address field to select the machine to be included in the VPN.
All gateways in the same VPN must use the same key algorithm.
All gateways in the same VPN must use the same data algorithm.
All gateways in the same VPN must use the same MAC algorithm.
(Optional) Type a description of the VPN gateway.
Click the OK button.
Repeat steps 2 through 11 to define a VPN Gateway for each Screen in the VPN. Be sure to give each of them the same VPN name to include them all in this particular VPN.
Once you define the VPN by creating VPN Gateways, you must add Packet Filtering rules in order to utilize the VPN. To add the VPN rule, perform the following steps:
Click on the Packet Filtering tab of the Policy Rules area of the Policy Rules page.
Click on the "Add New..." button at the bottom of the rules.
The Rule Definition dialog window appears.
Type the information into the fields as desired.
The source and destination fields can contain "*". This configuration will check all traffic to see if it is part of the specified VPN. Be sure to select SECURE in the action field. When the Action Details popup window asks you to supply a VPN, select the name of the VPN used when defining the VPN Gateways.
The one VPN-based rule will then generate all the VPN Gateway pair-wise rules so that the hosts at each site can communicate with each other securely. Any host that cannot be secured (for example, it is not protected by a VPN gateway) will not be allowed to communicate by the VPN-based rule. You can create a separate rule that allows that particular host to communicate, but you must set that up separately.
Click the OK button for both the Action Details and the Add Rule dialog boxes.
If you did not use "*" for source, destination and service, repeat steps 2 through 4 for any additional rules. You must add VPN rules to each Screen that is part of the VPN.