Create a route-based VPN

You want to create and deploy a route-based VPN (RBVPN) between your head office (HO) and branch office (BO), with traffic allowed both ways.

Introduction

In this scenario, the branch office initiates the connection. You use IPv4, the IPsec profile is IKEv2, and you use RSA keys for authentication. You add a static route.

Note The network addresses used here are examples only. Use your network addresses when creating your route-based VPN.

You need to do as follows:

  • Configure the head office RBVPN. You need to define LANs, create an RBVPN tunnel, edit the xfrm interface, create firewall rules for inbound and outbound traffic, and create a static route.
  • Configure the branch office RBVPN. You need to define LANs, create an RBVPN tunnel, edit the xfrm interface, create firewall rules for inbound and outbound traffic, and create a static route.

You can also check connectivity.

Route-Based VPN network diagram


Route-Based VPN network diagram

Head and branch office configuration

When you have a head and branch office configuration, the firewall in the branch office usually acts as the tunnel initiator. The firewall in the head office acts as a responder. This is because of the following reasons:
  • As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.
  • When the branch office device is configured with a dynamic IP address, the head office device cannot initiate the connection.

    However, if you configure dynamic DNS (DDNS) on the head office XG Firewall the head office device can initiate the connection. For more information, see Add a Dynamic DNS provider.

Define LANs at the head office

Create hosts for the head office and branch office networks.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify local LAN settings.
    OptionDescription

    Name

    HO_LAN

    IP version

    IPv4

    Type

    Network

    IP address

    192.168.1.0

    Subnet

    /24 (255.255.255.0)

    Example:

    Create a LAN IP host
  3. Click Save.
  4. Click Add.
  5. Specify remote LAN settings.
    OptionDescription

    Name

    BO_LAN

    IP version

    IPv4

    Type

    Network

    IP address

    192.168.3.0

    Subnet

    /24 (255.255.255.0)
  6. Click Save.

Create a route-based VPN tunnel (HO)

To create a route-based VPN tunnel, do as follows:
  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Specify the general settings:
    Note You can't create a firewall rule here for route-based VPN.
    OptionDescription

    IP version

    The tunnel only passes through data that uses the specified IP version.

    Select IPv4.

    Connection type

    Select Tunnel interface. This creates a tunnel interface between two endpoints. The interface is named xfrm followed by a number.

    Gateway type

    Select the following gateway type:

    Respond only: Keeps the connection ready to respond to any incoming request.

    Activate on save

    Select this option. It activates the VPN connection when you click Save.
  4. Specify the encryption settings.
    OptionDescription

    Policy

    IPsec policy to use for the traffic.

    Select IKEv2.

    Authentication type

    Select the following authentication type:

    RSA key: Authenticates endpoints using RSA keys.

    The local RSA key is generated automatically. You need to copy and paste the RSA key from the branch office XG Firewall.
  5. Specify the local gateway settings.
    OptionDescription

    Listening interface

    Interface that listens for connection requests.

    Select the WAN interface (Port2-172.20.120.10).
  6. Specify the remote gateway settings.
    OptionDescription

    Gateway address

    Enter the WAN IP address of the Branch office XG Firewall (172.20.120.15).
    Note You must enter a gateway address, as the wildcard * is not supported for route-based VPN. In this scenario you use the WAN IP of the branch office XG Firewall. If you configure DDNS, you can use the DNS address of the branch office XG Firewall .

    Example:

    Route-based VPN settings
  7. Click Save.

Go to IPsec policies and make sure Dead peer detection is enabled. We recommend that you select one of the following actions for when the peer (branch office) is unreachable:

  • Hold
  • Disconnect

Edit the xfrm interface (HO)

The xfrm interface is a virtual tunnel interface that XG Firewall creates on the WAN interface when you set up a route-based VPN connection.

  1. Go to Network > Interfaces.
  2. Specify an IP address and subnet.

    3.3.3.3/24

    Example:

    Assign an IP address and subnet mask to the XFRM interface
  3. Click Save.

Add firewall rules (HO)

Create firewall rules for inbound and outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the settings.
    OptionDescription
    Rule name Inbound_Allow
    Source zones VPN
    Source networks and devices BO_LAN
    Destination zones LAN
    Destination networks HO_LAN

    Example:

    Firewall rule for inbound and outbound traffic
  3. Select Log firewall traffic.
  4. Click Save.
  5. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  6. Specify the settings.
    OptionDescription
    Rule name

    Outbound_Allow
    Source zones

    LAN
    Source networks and devices

    HO_LAN
    Destination zones

    VPN
    Destination networks

    BO_LAN
  7. Select Log firewall traffic.
  8. Click Save.

Add a static route (HO)

  1. Go to Routing > Static routing and click Add under IPv4 unicast route.
  2. Enter the following route details:
    OptionDescription

    Destination IP/netmask

    192.168.3.0/24

    Interface

    xfrm1-3.3.3.3

    Example:

    Static route settings
  3. Click Save.

Define LANs at the branch office

Create hosts for the branch office and head office networks.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify local LAN settings.
    OptionDescription

    Name

    BO_LAN

    Type

    Network

    IP address

    192.168.3.0

    Subnet

    /24 (255.255.255.0)
  3. Specify remote LAN settings.
    OptionDescription

    Name

    HO_LAN

    Type

    Network

    IP address

    192.168.1.0

    Subnet

    /24 (255.255.255.0)

Create a route-based VPN tunnel (BO)

To create a route-based VPN tunnel, do as follows:
  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Specify the general settings:
    OptionDescription
    IP version

    The tunnel only passes through data that uses the specified IP version.

    Select IPv4.
    Connection type

    Select Tunnel interface. This creates a tunnel interface between two endpoints. The interface is named xfrm followed by a number.
    Gateway type

    Select the following gateway type:

    Initiate the connection: Establishes the connection every time VPN services or the device restart.
    Activate on save Select this option. It activates the VPN connection when you click Save.
  4. Specify the encryption settings.
    OptionDescription
    Policy IPsec policy to use for the traffic.

    Select IKEv2.
    Authentication type

    Select the following authentication type:

    RSA key: Authenticates endpoints using RSA keys.

    The local RSA key is generated automatically. You need to copy and paste the RSA key from the head office XG Firewall.
  5. Specify the local gateway settings.
    OptionDescription
    Listening interface Interface that listens for connection requests.

    Select the WAN interface (Port2-172.20.120.15).
  6. Specify the remote gateway settings.
    OptionDescription
    Gateway address Enter the WAN IP address of the head office XG Firewall (172.20.120.10).
    Note You must enter a gateway address, as the wildcard * is not supported for route-based VPN. In this scenario you use the WAN IP of the head office XG Firewall.
  7. Click Save.

Go to IPsec policies and make sure Dead peer detection is enabled. Select the following action to take when the peer (head office) is unreachable: Re-initiate.

Edit the xfrm interface (BO)

The xfrm interface is a virtual tunnel interface that XG Firewall creates on the WAN interface when you set up a route-based VPN connection.

  1. Go to Network > Interfaces.
  2. Specify an IP address and subnet.

    3.3.3.4/24

  3. Click Save.

Add firewall rules (BO)

Create firewall rules for inbound and outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  2. Specify the settings.
    OptionDescription

    Rule name

    Inbound_Allow

    Source zones

    VPN

    Source networks and devices

    HO_LAN

    Destination zones

    LAN
    Destination networks

    BO_LAN
  3. Select Log firewall traffic.
  4. Click Save.
  5. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  6. Specify the settings.
    OptionDescription

    Rule name

    Outbound_Allow

    Source zones

    LAN

    Source networks and devices

    BO_LAN

    Destination zones

    VPN
    Destination networks

    HO_LAN
  7. Click Save.

Add a static route (BO)

  1. Go to Routing > Static routing and click Add under IPv4 unicast route.
  2. Enter the following route details:
    OptionDescription

    Destination IP/netmask

    192.168.1.0/24

    Interface

    xfrm1-3.3.3.4
  3. Click Save.

Check connectivity

  • Go to Administration > Device access. For the VPN zone, select Ping/Ping6.
  • Go to Rules and policies > Firewall rules. Make sure Log firewall traffic is enabled on the firewall rules you created.

From the head office, do as follows:

  1. Continuously ping a device on the branch office LAN.
    On Windows, start a command prompt and type: ping 192.168.3.10 -t
  2. On XG Firewall go to Diagnostics > Packet capture > Configure.
    In BPF string type the following: host 192.168.1.10 and proto ICMP
  3. Click Save.
  4. Turn on Packet capture.
    If the ping is successful, you can see the ICMP traffic going out of the xfrm interface.
  5. Go to Log viewer.
    Search for 192.168.1.10
    If the ping is successful, you can see the ICMP traffic going out of the xfrm interface to the destination IP address, 192.160.1.10.

To troubleshoot further, select the firewall rule ID and select Filter firewall rule. This opens the firewall rule in the web admin console, where you can check your settings.