Skip to content

Route-based VPN

Route-based VPNs are IPsec connections that encrypt and encapsulate all traffic going to the XFRM interface.

You can create route-based VPN connections for IPv4 and IPv6 protocols between two Sophos Firewall devices or between Sophos Firewall and a third-party firewall.

To configure route-based VPNs, go to Site-to-site VPN > IPsec. You create XFRM interfaces as the VPN endpoints when you configure a route-based VPN. To see these interfaces, go to Network > Interfaces and click the blue bar to the left of the listening interface you've used in the connection.

You can create route-based VPNs with the following configuration types:

  • Any-to-any tunnels: After configuring the IPsec connection with local and remote subnets set to Any, you must go to Network > Interfaces and assign an IP address to the XFRM interface. You must then configure static, SD-WAN, or dynamic routes to determine the traffic sent to the XFRM interface.

    We recommend these connections over route-based VPNs with traffic selectors and policy-based VPNs.

  • Traffic selectors for subnets: For route-based IPsec connections that use traffic selectors (hosts or subnets) for the local and remote subnets, the firewall creates an XFRM interface for each IPsec configuration, making debugging easier. The firewall also creates a static route automatically when the tunnel is established.

    We recommend these connections over policy-based VPNs.

    Restriction

    Sophos Firewall doesn't support WAF over route-based IPsec if you use traffic selectors for the subnets. You can use any-to-any route-based connections.

Sophos Firewall establishes a tunnel for each XFRM interface. See a Comparing policy-based and route-based VPNs.

Note

You can only establish route-based VPN tunnels when you configure tunnel interfaces on the firewalls at the local and remote networks. Don't create a tunnel using a policy-based VPN configuration at one end and a route-based VPN configuration at the other end.

Configuration guidelines

  • Currently, you can't enter a wildcard (*) for the remote Gateway address. You can enter 0.0.0.0 instead. However, don't use it when you initiate the connection. Alternatively, enter a hostname if you use dynamic DNS for the remote firewall's WAN interface.
  • You can either select Any or specific traffic selectors for both the local and remote subnets. You can't set up route-based VPNs with Any for one subnet and a specific traffic selector for the other.
  • If you specify traffic selectors instead of Any, you can't assign the following to the XFRM interface:
    • IP address
    • Routes
  • For route-based VPNs configured with the local and remote subnets set to Any, you can't change these settings to specific traffic selectors. However, you can clone the connection and specify the local and remote subnets.
  • For IP version set to Dual, you can't do the following:
    • Specify traffic selectors for the local and remote subnets because the firewall will try to establish connections between each pair of local and remote subnets. It can't establish connections between IPv4 and IPv6 subnets.
    • Create a firewall rule automatically. You must configure IPv4 and IPv6 firewall rules manually.

Use cases

Route-based VPNs only encrypt and decrypt traffic that flows through the XFRM interface. Configurations with the local and remote subnets set to Any or with IP version set to Dual don't determine which traffic enters the tunnel. The routes you configure make the decision.

Changes to the configured routes don't require downtime, and established connections aren't disrupted. So, these route-based VPNs require minimal maintenance. We recommend this type of VPN over policy-based and other route-based VPNs.

Use route-based VPNs for the following:

  • Large networks: To establish tunnels for large networks experiencing rapid growth.
  • Require redundant connections: To failover to an MPLS link or a custom gateway created on an XFRM interface.
  • Dynamic routing: To configure dynamic routing, ensuring the network can scale rapidly.

Configuring route-based VPN (any-any subnets)

To set up a route-based VPN with the local and remote subnets set to Any or without specifying traffic selectors, do as follows:

  1. On the local Sophos Firewall device, go to Site-to-site VPN > IPsec and configure an IPsec connection with Connection type set to Tunnel interface with one of the following settings:
    1. Set IP version to Dual. In this mode, you can't select the local and remote subnets.
    2. Alternatively, use an IPv4 or IP6 version and set the local and remote subnets to Any.
  2. Go to Network > Interfaces and assign an IP address to the automatically-created XFRM interface.
  3. Add inbound and outbound firewall rules.
  4. For overlapping subnets at the local and remote networks, add the corresponding SNAT and DNAT rules.
  5. Create static, SD-WAN, or dynamic routes with the XFRM interface, the local gateway, and the destination address.
  6. Repeat these steps on the peer Sophos Firewall device.

Configuring route-based VPN (traffic selectors for subnets)

To set up a route-based VPN with traffic selectors for the local and remote subnets, do as follows:

  1. On the local Sophos Firewall device, go to Site-to-site VPN > IPsec, configure an IPsec connection with the Connection type set to Tunnel interface, and configure specific local and remote subnets.
  2. To see the XFRM interface, go to Network > Interfaces.
  3. Add inbound and outbound firewall rules.
  4. Repeat these steps on the peer Sophos Firewall device.

More resources