Route-based VPN
You can now create IPsec VPN connections that use tunnel interfaces as endpoints, making static and dynamic routing possible.
Policy-based VPN doesn’t use the routing table. It uses a policy to decide whether IP traffic is sent through a VPN tunnel. Routing policies take precedence over the routing table. Within a changing network environment, you have to constantly check existing policies and update the VPN connections.
With a route-based VPN, the routing table defines whether to send specific traffic into the VPN tunnel or not. To use the routing table, you assign a virtual tunnel interface (VTI) to each endpoint device, in this case, your XG Firewall devices. This makes setting up a tunnel similar to connecting two interfaces. You can use tunnel interfaces like any other virtual network interface in configurations. This allows you to set up static and policy-based routes.
Each virtual tunnel interface is associated with a single tunnel and a single XG Firewall device with its encryption domain. The peer XG Firewall must also use a tunnel interface. All traffic destined to the encryption domain of the peer device is routed through the associated tunnel interface.
To set up a route-based VPN, do as follows:
- Add an IPsec connection for your XG Firewall with connection type Tunnel interface, using the WAN interface as the listening port.
- Assign an IP address to the automatically created tunnel interface, called xfrm.
- Add required firewall or NAT rules.
- Create a static, dynamic, or SD-WAN route using the virtual tunnel interface.
- Repeat the first four steps for the peer XG Firewall.
Route-based VPN tunnels don’t work together with policy-based VPN tunnels in most cases, so you shouldn’t mix them.