Policy-based VPN

Policy-based VPNs are IPsec connections that encrypt and encapsulate traffic flowing through the listening interface if the traffic matches the specified local and remote subnets and the corresponding firewall rule.

You can control access to resources through the tunnel based on the source and destination addresses, zones, services, applications, and the users you specify in the firewall rule.

You can configure host-to-host and site-to-site policy-based VPNs from VPN > IPsec connections. You can use site-to-site IPsec VPNs as an alternative to route-based VPNs.

XG Firewall establishes a single IPsec interface for these connections. It establishes individual tunnels for each pair of local and remote subnets you specify in the IPsec connection. For example, if you specify one local subnet and two remote subnets, it establishes two tunnels.

You can create site-to-site IPsec VPN connections between two XG Firewall devices or between an XG Firewall device and a third-party firewall.

Note You can't select Any for the local and remote subnets using a policy-based VPN.

Don't create a tunnel using policy-based VPN configuration at one end and a route-based VPN configuration at the other end.

Use cases

Policy-based VPNs require more maintenance than route-based VPNs, particularly when you have many VPN connections. When your network expands, you need to change the network parameters, such as subnets, in the configuration for IPsec connections. This causes established connections to disconnect, and you need to plan for the downtime.

You can use policy-based VPNs for the following:
  • Limited number of networks: Use these to connect a small number of networks with limited growth. If you need to establish a large number of VPN connections, we recommend using route-based VPNs.
  • Limited resources: Use these tunnels when you want to conserve network resources because the firewall creates a tunnel for each pair of local and remote subnets. So, these tunnels require more resources.

How to configure a policy-based VPN

To set up a site-to-site policy-based VPN, do as follows:

  1. On the local XG Firewall device, go to VPN > IPsec connections and configure an IPsec connection with connection type Site-to-site.
  2. For overlapping subnets at the local and remote networks, specify the NAT setting.
  3. Add a firewall rule manually or use the Create firewall rule option to create it automatically.
  4. Repeat these steps for the peer XG Firewall.