Policy-based VPN

You can use a policy-based VPN as an alternative to a route-based VPN.

Policy-based routing provides flexible traffic handling capabilities. It doesn't use the routing table. Instead, allowing routing based on source addresses, services, and applications as defined in VPN and firewall policies. It offers granular control for forwarding packets based on a number of user-defined variables, such as destination, source, application, user, service, or any combination of these variables.

If you use policies, you need to do more maintenance than if you use routes, especially if you have a large number of VPN connections. You need to reconfigure the local and remote sites if there are any changes. If you have a large number of VPN connections, you may want to use routes.

To set up a policy-based VPN, do as follows:

  1. Create IP host network definitions for both your local and remote subnets.
  2. Add an IPsec connection for your XG Firewall with connection type Remote access, Site-to-site or Host-to-host.
  3. Select the WAN interface as the listening port and add the network host definitions you created earlier for the respective local and remote networks.
  4. Add a firewall manually or use the Create firewall rule option to this automatically.
  5. Repeat the first two steps for the peer XG Firewall.

Don't mix policy-based with route-based VPN tunnels as they don't work together.