Create a route-based VPN
You want to create and deploy a route-based VPN (RBVPN) between your head office (HO) and branch office (BO), with traffic allowed both ways.
Introduction
In this scenario, the branch office initiates the connection. You use IPv4, the IPsec profile is IKEv2, and you use RSA keys for authentication. You add a static route.
You need to do as follows:
- Configure the head office RBVPN. You need to define LANs, create an RBVPN tunnel, edit the xfrm interface, create firewall rules for inbound and outbound traffic, and create a static route.
- Configure the branch office RBVPN. You need to define LANs, create an RBVPN tunnel, edit the xfrm interface, create firewall rules for inbound and outbound traffic, and create a static route.
You can also check connectivity.
Route-Based VPN network diagram

Head and branch office configuration
- As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.
- When the branch office device is configured with a dynamic IP address, the head office device
cannot initiate the connection.
However, if you configure dynamic DNS (DDNS) on the head office XG Firewall the head office device can initiate the connection. For more information, see Add a Dynamic DNS provider.
Define LANs at the head office
Create hosts for the head office and branch office networks.
Create a route-based VPN tunnel (HO)
Go to IPsec policies and make sure Dead peer detection is enabled. We recommend that you select one of the following actions for when the peer (branch office) is unreachable:
- Hold
- Disconnect
Edit the xfrm interface (HO)
The xfrm interface is a virtual tunnel interface that XG Firewall creates on the WAN interface when you set up a route-based VPN connection.
Add firewall rules (HO)
Create firewall rules for inbound and outbound VPN traffic.
Add a static route (HO)
Define LANs at the branch office
Create hosts for the branch office and head office networks.
- Go to Add. and click
-
Specify local LAN settings.
Option Description Name
BO_LAN
Type
Network
IP address
192.168.3.0
Subnet
/24 (255.255.255.0)
-
Specify remote LAN settings.
Option Description Name
HO_LAN
Type
Network
IP address
192.168.1.0
Subnet
/24 (255.255.255.0)
Create a route-based VPN tunnel (BO)
Go to IPsec policies and make sure Dead peer detection is enabled. Select the following action to take when the peer (head office) is unreachable: Re-initiate.
Edit the xfrm interface (BO)
The xfrm interface is a virtual tunnel interface that XG Firewall creates on the WAN interface when you set up a route-based VPN connection.
Add firewall rules (BO)
Create firewall rules for inbound and outbound VPN traffic.
- Go to IPv4 protocol and select Add firewall rule. Select New firewall rule. . Select
-
Specify the settings.
Option Description Rule name
Inbound_Allow
Source zones
VPN
Source networks and devices
HO_LAN
Destination zones
LAN
Destination networks BO_LAN
- Select Log firewall traffic.
- Click Save.
- Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
-
Specify the settings.
Option Description Rule name
Outbound_Allow
Source zones
LAN
Source networks and devices
BO_LAN
Destination zones
VPN
Destination networks HO_LAN
- Click Save.
Add a static route (BO)
- Go to Add under IPv4 unicast route. and click
-
Enter the following route details:
Option Description Destination IP/netmask
192.168.1.0/24
Interface
xfrm1-3.3.3.4
- Click Save.
Check connectivity
- Go to Ping/Ping6. . For the VPN zone, select
- Go to Log firewall traffic is enabled on the firewall rules you created. . Make sure
From the head office, do as follows:
To troubleshoot further, select the firewall rule ID and select Filter firewall rule. This opens the firewall rule in the web admin console, where you can check your settings.