Route-based VPN

You can now create IPsec VPN connections that use tunnel interfaces as endpoints, making static and dynamic routing possible.

Policy-based VPN doesn’t use the routing table. It uses a policy to decide whether IP traffic is sent through a VPN tunnel. Routing policies take precedence over the routing table. Within a changing network environment, you have to constantly check existing policies and update the VPN connections.

With a route-based VPN, the routing table defines whether to send specific traffic into the VPN tunnel or not. To use the routing table, you assign a virtual tunnel interface (VTI) to each endpoint device, in this case, your XG Firewall devices. This makes setting up a tunnel similar to connecting two interfaces. You can use tunnel interfaces like any other virtual network interface in configurations. This allows you to set up static and policy-based routes.

Each virtual tunnel interface is associated with a single tunnel and a single XG Firewall device with its encryption domain. The peer XG Firewall must also use a tunnel interface. All traffic destined to the encryption domain of the peer device is routed through the associated tunnel interface.

To set up a route-based VPN, do as follows:

  1. Add an IPsec connection for your XG Firewall with connection type Tunnel interface, using the WAN interface as the listening port.
  2. Assign an IP address to the automatically created tunnel interface, called xfrm.
  3. Add required firewall or NAT rules.
  4. Create a static, dynamic, or SD-WAN route using the virtual tunnel interface.
  5. Repeat the first four steps for the peer XG Firewall.

Route-based VPN tunnels don’t work together with policy-based VPN tunnels in most cases, so you shouldn’t mix them.