Route-based VPN

You can use a route-based VPN as an alternative to a policy-based VPN. Route-based VPN uses virtual tunnel interfaces as VPN endpoints.

Policy-based VPN doesn’t use the routing table. It uses a policy to decide whether IP traffic is sent through a VPN tunnel. Routing policies take precedence over the routing table. Within a changing network environment, you have to constantly check existing policies and update the VPN connections.

With a route-based VPN, the routing table defines whether to send specific traffic into the VPN tunnel or not. To use the routing table, you assign a virtual tunnel interface (VTI) to each endpoint device, in this case, your XG Firewall devices. This makes setting up a tunnel similar to connecting two interfaces. You can use tunnel interfaces like any other virtual network interface in configurations. This allows you to set up static and policy-based routes.

Each virtual tunnel interface is associated with a single tunnel and a single XG Firewall device with its encryption domain. The peer XG Firewall must also use a tunnel interface. All traffic destined to the encryption domain of the peer device is routed through the associated tunnel interface.

To set up a route-based VPN, do as follows:

  1. Add an IPsec connection for your XG Firewall with connection type Tunnel interface, using the WAN interface as the listening port.
  2. Assign an IP address to the automatically created tunnel interface, called xfrm.
  3. Add required firewall or NAT rules.
  4. Create a static, dynamic, or SD-WAN route using the virtual tunnel interface.
  5. Repeat the first four steps for the peer XG Firewall.

Route-based VPN tunnels don’t work together with policy-based VPN tunnels in most cases, so you shouldn’t mix them.