Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview


A VPN requires a physical or virtual interface on the security device, and each security device supports a specific number of physical and virtual interfaces. To support multiple VPNs on a device, you might want to create tunnel interfaces and tunnel zones to increase the number of available interfaces on the device.


VPN Manager automatically creates the necessary tunnel interfaces for route-based VPNs. For device-level VPNs, you can create the tunnel interfaces before or after creating the VPN.

If you do not need to do network address translation (NAT), use unnumbered interfaces.

  • Tunnel Interfaces—A tunnel interface handles VPN traffic between the VPN tunnel and the protected resources. You can create numbered tunnel interfaces that use unique IP addresses and netmasks, or unnumbered tunnel interfaces that do not have their own IP address and netmask (unnumbered tunnel interface borrows the IP address of the default interface of the security zone).

  • Tunnel Zones—A tunnel zone is a logical construction that includes one or more numbered tunnel interfaces. You must bind the VPN tunnel to the tunnel zone (not the numbered tunnel interfaces); the VPN tunnel uses the default interface for the tunnel zone. In a policy-based VPN, you can link:

    • A single VPN tunnel to multiple tunnel interfaces

    • Multiple VPN tunnels to a single tunnel interface

For details on tunnel interfaces and tunnel zones, see Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview.