Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Create a route-based VPN with traffic selectors

You want to create and set up a route-based VPN (RBVPN) between your head office (HO) and branch office (BO) for specific local and remote subnets.

When you have a head and branch office configuration, the firewall in the branch office usually acts as the tunnel initiator. The firewall in the head office acts as a responder. This is because of the following reasons:

  • As there are usually many branch offices, we recommend that each branch office retries the connection instead of the head office retrying all connections to branch offices.
  • When the branch office device is configured with a dynamic IP address, the head office device can't start the connection.

    However, if you configure dynamic DNS (DDNS) on the head office Sophos Firewall, the head office device can start the connection. For more information, see Add a dynamic DNS provider.

Route-Based VPN network diagram

In this scenario, the branch office initiates the connection.

Note

The network addresses used here are examples only. Use your network addresses when creating your route-based VPN.

Route-Based VPN network diagram.

Head office

Create IP hosts for LANs

Create hosts for the head office and branch office networks.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify the settings for the head office LAN.

    Name Setting
    Name HO_LAN
    IP version IPv4
    Type Network
    IP address 192.168.1.0
    Subnet /24 (255.255.255.0)

    Here's an example:

    Create a LAN IP host.

  3. Click Save.

  4. Click Add.
  5. Specify the settings for the branch office LAN.

    Name Setting
    Name BO_LAN
    IP version IPv4
    Type Network
    IP address 192.168.3.0
    Subnet /24 (255.255.255.0)
  6. Click Save.

Configure route-based VPN

To create a route-based VPN tunnel, do as follows:

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Note

    You can't create a firewall rule here for route-based VPN.

    Name Setting
    IP version

    The tunnel only passes through data that uses the specified IP version.

    Select IPv4.

    Connection type Select Tunnel interface. This creates a tunnel interface between two endpoints. The interface is named xfrm followed by a number.
    Gateway type

    Select the following gateway type:

    Respond only: Keeps the connection ready to respond to any incoming request.

    Activate on save Select this option. It activates the VPN connection when you click Save.

    Example:

    Route-based VPN settings.

  4. Specify the encryption settings.

    Name Setting
    Profile

    IPsec profile to use for the traffic.

    Select Head office (IKEv2).

    Authentication type

    Select the following authentication type:

    RSA key: Authenticates endpoints using RSA keys.

    The local RSA key is generated automatically. You need to copy and paste the RSA key from the branch office Sophos Firewall.

    Example:

    Route-based VPN encryption settings.

  5. Specify the gateway settings.

    Name Setting
    Listening interface

    Interface that listens for connection requests.

    Select the WAN interface (Port2-172.20.120.10).

    Gateway address Enter the WAN IP address of the branch office Sophos Firewall (172.20.120.15).
    Local subnet HO_LAN
    Remote subnet BO_LAN

    Example:

    Route-based VPN's gateway settings.

  6. Click Save.

  7. Go to Profiles > IPsec profiles and make sure Dead peer detection is turned on. We recommend that you select one of the following actions if the peer (branch office) is unreachable:

    • Hold
    • Disconnect
  8. To see the XFRM interface, go to Network > Interfaces and click the blue bar next to the interface you've selected as the Listening interface.

    Here's an example:

    Click the port to see the xfrm interface.

Allow access

Allow device access

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.
  4. Click Apply.

Add firewall rules

Create firewall rules for inbound and outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 protocol.
  3. Select Add firewall rule and select New firewall rule.
  4. Specify the settings.

    Name Setting
    Rule name Inbound_Allow
    Log firewall traffic Select the setting.
    Source zones VPN
    Source networks and devices BO_LAN
    Destination zones LAN
    Destination networks HO_LAN

    Example:

    Firewall rule for inbound and outbound traffic.

  5. Click Save.

  6. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  7. Specify the settings.

    Name Setting
    Rule name Outbound_Allow
    Log firewall traffic Select the setting.
    Source zones LAN
    Source networks and devices HO_LAN
    Destination zones VPN
    Destination networks BO_LAN
  8. Click Save.

Branch office

Configure IP hosts for LANs

Create hosts for the branch office and head office networks.

  1. Go to Hosts and services > IP host and click Add.
  2. Specify the settings for the branch office LAN.

    Name Setting
    Name BO_LAN
    Type Network
    IP address 192.168.3.0
    Subnet /24 (255.255.255.0)
  3. Specify the settings for the head office LAN.

    Name Setting
    Name HO_LAN
    Type Network
    IP address 192.168.1.0
    Subnet /24 (255.255.255.0)

Configure route-based VPN

To create a route-based VPN tunnel, do as follows:

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Name Setting
    IP version

    The tunnel only passes through data that uses the specified IP version.

    Select IPv4.

    Connection type Select Tunnel interface. This creates a tunnel interface between two endpoints. The interface is named xfrm followed by a number.
    Gateway type

    Select the following gateway type:

    Initiate the connection: Establishes the connection every time VPN services or the device restart.

    Activate on save Select this option. It activates the VPN connection when you click Save.
  4. Specify the encryption settings.

    Name Setting
    Profile IPsec profile to use for the traffic. Select Branch office (IKEv2).
    Authentication type

    Select the following authentication type:

    RSA key: Authenticates endpoints using RSA keys.

    The local RSA key is generated automatically. You must copy and paste the RSA key from the head office Sophos Firewall.

  5. Specify the local gateway settings.

    Name Setting
    Listening interface Interface that listens for connection requests. Select the WAN interface (Port2-172.20.120.15).
    Local subnet BO_LAN
  6. Specify the remote gateway settings.

    Name Setting
    Gateway address Enter the WAN IP address (or hostname) of the head office Sophos Firewall (172.20.120.10).
    Remote subnet HO_LAN
  7. Click Save.

  8. Go to Profiles > IPsec profiles and make sure Dead peer detection is turned on. Select the following action to take when the peer (head office) is unreachable: Re-initiate.
  9. To see the XFRM interface, go to Network > Interfaces and click the blue bar next to the interface you've selected as the Listening interface.

Allow access

Allow device access

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.
  4. Click Apply.

Add firewall rules

Create firewall rules for inbound and outbound VPN traffic.

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 protocol.
  3. Select Add firewall rule and select New firewall rule.
  4. Specify the settings.

    Name Setting
    Rule name Inbound_Allow
    Log firewall traffic Select the setting.
    Source zones VPN
    Source networks and devices HO_LAN
    Destination zones LAN
    Destination networks BO_LAN
  5. Click Save.

  6. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.
  7. Specify the settings.

    Name Setting
    Rule name Outbound_Allow
    Log firewall traffic Select the setting.
    Source zones LAN
    Source networks and devices BO_LAN
    Destination zones VPN
    Destination networks HO_LAN
  8. Click Save.

Check connectivity

From the head office, do as follows:

  1. Continuously ping a device on the branch office LAN. On Windows, start a command prompt and type: ping 192.168.3.10 -t
  2. On Sophos Firewall go to Diagnostics > Packet capture > Configure. In BPF string type the following: host 192.168.1.10 and proto ICMP
  3. Click Save.
  4. Turn on Packet capture. If the ping is successful, you can see the ICMP traffic going out of the xfrm interface.
  5. Go to Log viewer. Search for 192.168.1.10 If the ping is successful, you can see the ICMP traffic going out of the xfrm interface to the destination IP address, 192.160.1.10.

To troubleshoot further, select the firewall rule ID and select Filter firewall rule. This opens the firewall rule in the web admin console, where you can check your settings.

More resources