Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Create a route-based VPN (any to any subnets)

You want to create and set up a route-based VPN (RBVPN) between your head office (HO) and branch office (BO), with traffic allowed both ways. You set the local and remote subnets to Any.

When you have a head and branch office configuration, the firewall in the branch office usually acts as the tunnel initiator. The firewall in the head office acts as a responder. The reasons are as follows:

  • As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.
  • When the branch office device is configured with a dynamic IP address, the head office device can't start the connection.

    However, if you configure dynamic DNS (DDNS) on the head office Sophos Firewall, the head office device can start the connection. For more information, see Add a dynamic DNS provider.

Route-Based VPN network diagram

In this scenario, the branch office initiates the connection.

Note

The network addresses used here are examples only. Use your network addresses when creating your route-based VPN.

Route-Based VPN network diagram.

Head office

Create IP hosts for LANs

Create hosts for the head office and branch office networks.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify the settings for the head office LAN.

    Name Setting
    Name HO_LAN
    IP version IPv4
    Type Network
    IP address 192.168.1.0
    Subnet /24 (255.255.255.0)

    Here's an example:

    Create a LAN IP host.

  3. Click Save.

  4. Click Add.
  5. Specify the settings for the branch office LAN.

    Name Setting
    Name BO_LAN
    IP version IPv4
    Type Network
    IP address 192.168.3.0
    Subnet /24 (255.255.255.0)
  6. Click Save.

Configure route-based VPN

To create a route-based VPN tunnel, do as follows:

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Note

    You can't create a firewall rule here for route-based VPN.

    Name Setting
    IP version

    The tunnel only passes through data that uses the specified IP version.

    Select IPv4.

    Connection type Select Tunnel interface. This creates a tunnel interface between two endpoints. The interface is named xfrm followed by a number.
    Gateway type

    Select the following gateway type:

    Respond only: Keeps the connection ready to respond to any incoming request.

    Activate on save Select this option. It activates the VPN connection when you click Save.

    Example:

    Route-based VPN settings.

  4. Specify the encryption settings.

    Name Setting
    Profile

    IPsec profile to use for the traffic.

    Select Head office (IKEv2).

    Authentication type

    Select the following authentication type:

    RSA key: Authenticates endpoints using RSA keys.

    The local RSA key is generated automatically. You need to copy and paste the RSA key from the branch office Sophos Firewall.

    Example:

    Route-based VPN encryption settings.

  5. Specify the local gateway settings.

    Name Setting
    Listening interface

    Interface that listens for connection requests.

    Select the WAN interface (Port2-172.20.120.10).

    Local subnet Any

    Example:

    Route-based VPN's local gateway settings.

  6. Specify the remote gateway settings.

    Name Setting
    Gateway address Enter the WAN IP address of the Branch office Sophos Firewall (172.20.120.15).
    Remote subnet Any

    Example:

    Route-based VPN's remote gateway settings.

  7. Click Save.

  8. Go to Profiles > IPsec profiles and make sure Dead peer detection is turned on. We recommend that you select one of the following actions if the peer (branch office) is unreachable:

    • Hold
    • Disconnect

Edit the xfrm interface

The xfrm interface is a virtual tunnel interface that Sophos Firewall creates on the WAN interface when you set up a route-based VPN connection.

  1. Go to Network > Interfaces.
  2. Click the port on which you've configured the xfrm interface. Ports with virtual interfaces assigned to them have a blue bar on the left.

    Here's an example:

    Click the port to see the xfrm interface.

  3. Click the xfrm interface and specify an IP address and subnet. Example: 3.3.3.3/24

    Example:

    Assign an IP address and subnet mask to the xfrm interface.

  4. Click Save.

Allow access

Allow device access

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.
  4. Click Apply.

Add firewall rules

Create firewall rules for inbound and outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 protocol.
  3. Select Add firewall rule and select New firewall rule.
  4. Specify the settings.

    Name Setting
    Rule name Inbound_Allow
    Log firewall traffic Select the setting.
    Source zones VPN
    Source networks and devices BO_LAN
    Destination zones LAN
    Destination networks HO_LAN

    Example:

    Firewall rule for inbound and outbound traffic.

  5. Click Save.

  6. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  7. Specify the settings.

    Name Setting
    Rule name Outbound_Allow
    Log firewall traffic Select the setting.
    Source zones LAN
    Source networks and devices HO_LAN
    Destination zones VPN
    Destination networks BO_LAN
  8. Click Save.

Add a route

In this example, we show how to configure a static route and an SD-WAN route. For dynamic routes, see the following:

  1. Go to Routing > Static routes and click Add under IPv4 unicast route.
  2. Enter the following route details:

    Name Setting
    Destination IP/netmask 192.168.3.0/24
    Interface xfrm1-3.3.3.3

    Example:

    Static route settings.

  3. Click Save.

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a Name.
  4. Set Source networks to HO_LAN.
  5. Set Destination networks to BO_LAN.

    SD-WAN settings for route-based VPN in HO.

  6. Under Link selection settings, select Primary and backup gateways.

    Note

    If you want to enforce gateway failover based on performance SLAs and health check criteria, create an SD-WAN profile with tunnel interfaces and select the profile here.

  7. Click the drop-down list for Primary gateway and click Add.

    1. Enter a name.
    2. For Gateway IP, enter the branch office XFRM IP address (example: 3.3.3.4).
    3. For Interface, select the XFRM interface (example: xfrm1_3.3.3.3).

      SD-WAN settings.

    4. If you want Health check on, for Monitoring condition, enter an internal IP address of the branch office (example: 192.168.3.2).

  8. Optionally, you can select Route only through specified gateways.

    The firewall then drops the traffic if the tunnel isn't available.

  9. Click Save.

Branch office

Configure IP hosts for LANs

Create hosts for the branch office and head office networks.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify the settings for the branch office LAN.

    Name Setting
    Name BO_LAN
    Type Network
    IP address 192.168.3.0
    Subnet /24 (255.255.255.0)
  3. Specify the settings for the head office LAN.

    Name Setting
    Name HO_LAN
    Type Network
    IP address 192.168.1.0
    Subnet /24 (255.255.255.0)

Configure route-based VPN

To create a route-based VPN tunnel, do as follows:

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Name Setting
    IP version

    The tunnel only passes through data that uses the specified IP version.

    Select IPv4.

    Connection type Select Tunnel interface. This creates a tunnel interface between two endpoints. The interface is named xfrm followed by a number.
    Gateway type

    Select the following gateway type:

    Initiate the connection: Establishes the connection every time VPN services or the device restart.

    Activate on save Select this option. It activates the VPN connection when you click Save.
  4. Specify the encryption settings.

    Name Setting
    Profile IPsec profile to use for the traffic. Select Branch office (IKEv2).
    Authentication type

    Select the following authentication type:

    RSA key: Authenticates endpoints using RSA keys.

    The local RSA key is generated automatically. You must copy and paste the RSA key from the head office Sophos Firewall.

  5. Specify the local gateway settings.

    Name Setting
    Listening interface Interface that listens for connection requests. Select the WAN interface (Port2-172.20.120.15).
  6. Specify the remote gateway settings.

    Name Setting
    Gateway address Enter the WAN IP address of the head office Sophos Firewall (172.20.120.10).

    Note

    You must enter a gateway IP address or DNS hostname. You can't enter a wildcard address (*) for route-based VPNs with Gateway type set to Initiate the connection.

  7. Click Save.

  8. Go to Profiles > IPsec profiles and make sure Dead peer detection is turned on. Select the following action to take when the peer (head office) is unreachable: Re-initiate.

Edit the xfrm interface

The xfrm interface is a virtual tunnel interface that Sophos Firewall creates on the WAN interface when you set up a route-based VPN connection.

  1. Go to Network > Interfaces.
  2. Specify an IP address and subnet. Example: 3.3.3.4/24
  3. Click Save.

Allow access

Allow device access

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.
  4. Click Apply.

Add firewall rules

Create firewall rules for inbound and outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 protocol.
  3. Select Add firewall rule and select New firewall rule.
  4. Specify the settings.

    Name Setting
    Rule name Inbound_Allow
    Log firewall traffic Select the setting.
    Source zones VPN
    Source networks and devices HO_LAN
    Destination zones LAN
    Destination networks BO_LAN
  5. Click Save.

  6. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  7. Specify the settings.

    Name Setting
    Rule name Outbound_Allow
    Log firewall traffic Select the setting.
    Source zones LAN
    Source networks and devices BO_LAN
    Destination zones VPN
    Destination networks HO_LAN
  8. Click Save.

Add a route

In this example, we show how to configure a static route and an SD-WAN route. For dynamic routes, see the following:

  1. Go to Routing > Static routes and click Add under IPv4 unicast route.
  2. Enter the following route details:

    Name Setting
    Destination IP/netmask 192.168.1.0/24
    Interface xfrm1-3.3.3.4
  3. Click Save.

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a Name.
  4. Set Source networks to BO_LAN.
  5. Set Destination networks to HO_LAN.

    SD-WAN settings for route-based VPN in BO.

  6. Under Link selection settings, select Primary and backup gateways.

  7. Click the drop-down list for Primary gateway and click Add.

    1. Enter a name.
    2. For Gateway IP, enter the head office XFRM IP address (example: 3.3.3.3).
    3. For Interface, select the XFRM interface (example: xfrm1_3.3.3.4).
    4. If you want Health check on, for Monitoring condition, enter an internal IP address of the head office (example: 192.168.1.2).
  8. Optionally, you can select Route only through specified gateways.

    The firewall then drops the traffic if the tunnel isn't available.

  9. Click Save.

Check connectivity

From the head office, do as follows:

  1. Continuously ping a device on the branch office LAN. On Windows, start a command prompt and type: ping 192.168.3.10 -t
  2. On Sophos Firewall go to Diagnostics > Packet capture > Configure. In BPF string type the following: host 192.168.1.10 and proto ICMP
  3. Click Save.
  4. Turn on Packet capture. If the ping is successful, you can see the ICMP traffic going out of the xfrm interface.
  5. Go to Log viewer. Search for 192.168.1.10 If the ping is successful, you can see the ICMP traffic going out of the xfrm interface to the destination IP address, 192.160.1.10.

To troubleshoot further, select the firewall rule ID and select Filter firewall rule. This opens the firewall rule in the web admin console, where you can check your settings.

More resources