There's every chance that you'll find something in the knowledge base if you take a look. But I personally don't consider site-to-site VPNs to be that complicated.
Step 1 - Create an ISAKMP rule.
The appliance uses a process called isakmp to perform the preliminary negotiation of a tunnel with a 3rd-party peer. In order for it to do this, a rule must be created so that the isakmp process wakes up. It doesn't have to be a complicated rule, something like this will work just fine:-
If you want to be more specific (like only have it listening on a designated external IP address on the Firewall) you can create an appropriate address object and use it as the destination endpoint value.
Step 2 - Go to Network --> VPN Configuration --> VPN Definitions and define your VPN tunnel.
Here is an example of a simple entry.
- The local private network is 192.168.1.0/24.
- The remote network is 10.10.10.0/24.
- The public IP address of the remote firewall is 220.127.116.11
- The pre-shared key is "password"
- The tunnel is going to use AES256/MD5
The last screen I generally stick with the defaults and then check with the remote party to see how their side of the tunnel is being configured. Here you can see where the phase 1 and phase 2 rekey intervals are specified (with other vendors I have noticed these values are often much, much , larger than the McAfee defaults) and can implement perfect forward secrecy (PFS) if necessary.
The other important element is on the General tab, and that is the "Zone" assignment. In this example the zone has been set to "internal". This means that the tunnel will be completely transparent to both parties any address in the 192.168.1.x network will be able to access and 10.10.10.x address for any protocol. You would only do this if you have complete faith in the other end of the link (maybe if it is another office belonging to your organisation). Otherwise you should pick a different zone and use this value instead.
For VPNs it is possible to use a virtual zone (a zone definintion which is not associated with a physical interface). This will act as the termination point for the VPN and then you can apply access rules between this zone and your internal/LAN zone to determine which protocols are allow and which hosts are allowed to use the VPN.
Sometimes I'd suggest terminating the VPN on the internal zone to prove that the tunnel is working and then changing it to a virtual zone with access rules to lock it down to your satisfaction.
Troubleshooting-wise, the Audit Viewer is your go to tool. There is a "VPN" filter which you can apply which will then only present you with audit specific to the IPSec functionality, or if you are comfortable with the command line the command "showaudit -kv" will stream VPN-specific audit data to you in real time.
Hope that helps.
I posted this in some other VPN thread here (https://community.mcafee.com/message/151301#151301)
You can look for just VPN related audits with this audit filter:
$> acat -e "area vpn" | less
You can look for just -this- VPN tunnel with this audit filter:
$> acat -e "vpn_name MY_VPN" | less
You can also run the commands on the past audits (the audits that have 'rolled', or been gzipped, already):
$> acat -e "area vpn" /var/log/audit.raw.[date-range].gz | less
You do not have to unzip the files to use the acat command on them.
Or you can run a 'live' audit and test your traffic and then look at the data right then:
$> acat -ke "area vpn" > liveaudit.txt
Then open the file:
$> less liveaudit.txt
(use 'q' to quit out of less when you're done)
Also, here are some KB articles about VPNs on the firewall:
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to Set up a VPN Using the GreenBow VPN Client (KB64323)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to get notified when a VPN becomes active or idle (KB65689)
Creating a VPN between Firewall Enterprise/Sidewinder 7.x and a UTM Firewall/SnapGear with a static IP address (KB63319)
Creating a VPN between UTM Firewall/Sidewinder 7.x and a UTM Firewall/SnapGear with a dynamic IP address (KB63322)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to Create a VPN Between a SoftRemote Client and the firewall (KB64219)
Creating a VPN between Firewall Enterprise with a dynamic IP address, and a UTM Firewall/SnapGear with a static IP address (KB65730)
Firewall Enterprise/Sidewinder/Secure Firewall: VPNs with rules using NAT and redirection (KB68501)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to create a VPN between two Firewall Enterprise firewalls when the Remote Networks have a Different Address Space (KB64218)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to create a VPN between two Firewall Enterprise firewalls when the Remote Networks share the same address space (KB64313)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: Configuration for Shrew Soft VPN to Sidewinder 7.0.1 using a client Certificate and password extended authentication (KB67215)