A VPN rule can receive its information about source and destination network from Firewall rules.
By activating the option “This rule is used to create VPN rules” for a Firewall rule, you determine that a VPN rule will be derived from this Firewall rule.
If more than one local network is used (see ARF), the automatic extraction of the VPN rules has to be set up individually for every network. The definition of networks with automatically generated VPN rules uses the interface tag which is given for every network. This tag enables the allocation of local network to VPN route: Every packet received at a local interface is marked with the interface tag and forwarded along a route with the same tag or with the default tag (0).
For automatic VPN rule generation, all networks are taken up that
- Have the tag '0' or
- Fulfill the two conditions as follow:
- The network has the same interface tag as the IP-routing-table entry for the VPN connection (not to be confused with the routing tag for the remote gateway).
- The network is of the type 'Intranet'.
Note: VPN rules for a DMZ also have to be manually created just as for networks with an interface tag which does not fit to the routing tag of the VPN route.