Document toolboxDocument toolbox

Configuring Site-to-Site VPN Profiles

Owned by Shirly Tsang
Last updated: Jul 19, 2023 by Alex Mandel
2 min read


A site-to-site VPN profile allows you to set up a profile among edges and have a secure tunneled connection among them as long as they have IP connectivity.  You can also use a secure tunnel between an edge and other network devices in your infrastructure.

You can even place a Service Edge instance behind a firewall that owns a public IP address. However, the firewall must be configured for NAT port forwarding. In some organizations, the implementation of such port forwarding is difficult and such a requirement may cause difficulties in the implementation of site-to-site VPN profiles.

 To overcome these difficulties and to deploy site-to-site VPN profiles in organizations where Service Edge instances are behind a NAT or a firewall, Service Edge uses the strongSwan NAT Traversal (NAT-T) protocol wherein a mediation server is hosted in the cloud to facilitate discovery of public/private address bonding of each site. The information is then used by each site to attempt communication with remote peers, and therefore establish a NAT session in the reverse direction.

The mediation server is hosted in the AWS cloud and uses ports 500 and 4500.

For information about BloxOne Service Edge, see BloxOne Service Edge.

On the Site-to-Site VPN Profiles page, the Cloud Services Portal displays the following information:

  • NAME: The name of the site-to-site VPN profile.
  • EDGES: The number of edges included in the profile.  You can view details of the edges in the right panel by clicking the number. The Edges dialog displays information about the edges you have included in the profile.

You can also perform the following on the Site-to-Site VPN Profile page:

  • Select a Site-to-Site VPN profile to view the details. You can view details such as Edges associated with it on the right panel. If you do not want to view the details in the right panel, click .

  • Click  -> Edit or select the check box for the respective VPN profile and click the Edit button to modify a Site-to-Site VPN profile.

  • Click  -> Remove or select the respective profile and click the Remove button to delete a profile.
  • Click  -> to Distribute Routes to all nodes or Distribute Routes based on VPN Profiles. The default is set to Distribute Routes based on VPN Profiles.

This section contains the following: