Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Create a site-to-site SSL VPN

You can establish site-to-site VPN tunnels using an SSL/TLS connection to connect branch offices to the head office.

Requirements

Before getting started, select a firewall to be the server. It's good practice to select the more powerful unit if there's a difference in models. If you have a firewall with a dynamic IP address and another with a static IP address, use the one with the static IP address.

Define LANs

You create hosts for the head office and branch office networks.

Do the following on the head office firewall:

  1. Go to Hosts and services > IP host and click Add.
  2. Create a host for the head office LAN.

    Create an IP host.

  3. Click Save.

  4. Click Add.
  5. Create a host for the branch LAN.

    Create an IP host.

  6. Click Save.

Add an SSL VPN site-to-site server connection

You create a connection and download the file that will be used to configure the client system.

Do the following on the head office firewall:

  1. Go to Site-to-site VPN > SSL VPN.
  2. In the Server section, click Add.
  3. Specify a name for the tunnel and the networks to be accessed through the tunnel.

    Configure a site-to-site SSL VPN connection.

  4. Click Save. The connection is created and it appears in the server list.

  5. Click Download Download button. and save the file that will be used to configure the client system.

    Download the configuration file.

    You can supply a password to encrypt the file, if required. The file format is .apc.

Note

If you change the port, protocol, certificate, or override hostname settings in the server firewall on Remote access VPN > SSL VPN > SSL VPN global settings, download the server configuration file again and upload it to the client firewall.

Add SSL VPN site-to-site client connection

You use the file that was created on the server to create and configure the client connection.

Do the following on the client firewall:

  1. Go to Site-to-site VPN > SSL VPN.
  2. In the Client section, click Add.
  3. Specify the settings.

    Name Setting
    Connection name HQ_to_branch_client
  4. Click Choose file and select the file that you downloaded from the SSL VPN server.

    Upload the SSL VPN configuration file.

  5. Click Save.

    The new connection appears in the client list. The tunnel is operational when the status indicator shows green.

    Active connection.

More resources