Skip to content

Route-based VPN

Route-based VPNs are IPsec connections that encrypt and encapsulate all traffic flowing through the virtual tunnel interface based on the routes you configure.

You can control access to resources through the tunnel based on the source and destination addresses, zones, services, applications, and the users you specify in the firewall rule. You can control routing for these parameters using SD-WAN policy routes.

You can configure route-based VPNs from VPN > IPsec connections. When you configure a route-based VPN, you create virtual tunnel interfaces (VTI) as the VPN endpoints. These appear as xfrm interfaces on Network > Interfaces.

Sophos Firewall establishes a single tunnel for each xfrm interface you configure. The remote Sophos Firewall device must also use an xfrm interface.


You can only establish route-based VPNs when you configure tunnel interfaces on Sophos Firewall devices at both the local and remote networks. Don't create a tunnel using policy-based VPN configuration at one end and a route-based VPN configuration at the other end.

You assign an IP address to the xfrm interface on the local and remote Sophos Firewall devices. You can then configure static, dynamic, or SD-WAN policy-based routes to determine the traffic sent to the xfrm interface. So, although you don't specify the local and remote subnets in IPsec connections, you control the traffic entering the xfrm interface using the routes you configure.

You can create site-to-site IPsec VPN connections between two Sophos Firewall devices or between a Sophos Firewall device and a third-party firewall.

You can use route-based VPNs as an alternative to site-to-site policy-based IPsec VPNs.

Use cases

Route-based VPNs only encrypt and decrypt traffic that flows through the xfrm interface. They don't determine which traffic enters the tunnel. The routes you configure take the decision. Changes in the configured routes don't require downtime, and established connections aren't disrupted. So, route-based VPNs require minimal maintenance.

Use route-based VPNs for the following:

  • Large networks: To establish tunnels for large networks experiencing rapid growth.
  • Require redundant connections: To failover to an MPLS link or a custom gateway created on an xfrm interface.
  • Dynamic routing: To configure dynamic routing, ensuring the network can scale rapidly.

Configuring a route-based VPN

To set up a route-based VPN, do as follows:

  1. On the local Sophos Firewall device, go to VPN > IPsec connections and configure an IPsec connection with connection type Tunnel interface.
  2. Go to Network > Interfaces and assign an IP address to the automatically created virtual tunnel interface (xfrm).
  3. Add a firewall rule.
  4. For overlapping subnets at the local and remote networks, add a NAT rule.
  5. Create a static, dynamic, or SD-WAN policy route with the xfrm interface, the local gateway, and the destination address.
  6. Repeat these steps for the peer Sophos Firewall device.

More resources