v18 - Route based VPN between two Sophos Appliances, branch office with dynamic peer IP and NAT

Question

Hi Sophos Community, 
 
 maybe you can help me to understand, if I am missing something, or if you think (like me) that this should work. 
 I try to setup route based vpn between head office (ho) and branch office (bo) both with Sophos Appliances SFOS v18. 
 - Ho has a public static IP on its WAN interface. 
 - Bo is behind a NAT router with dynamic IP. 
 
 I wont have an issue setting up a tunnel with policy based VPN, however I would like to use the benefits of a route based vpn since it is now supported in v18. 
 
 When I try to setup the vpn on ho with "respond only", it wont accept "*" for peer IP, like it would when I setup a policy based vpn. I use a remote ID to identify the request regardless of its source IP (like I would do with policy based vpn) I would like to avoid ddns stuff if possible and imho this should work anyway, should it not? 
 Am I missing a technical reason, why this can not work or is it a bug/missing feature in SFOS v18? 
 I appreciate your assistance! 
 
 Kind regards, 
 
 David

LuCar Toni · Accepted Answer

VTI does not support Wildcard. 
 There is a limitation in the underlaying technology that does not allow such configs. 
 See: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN 
 VTI needs a direct peer to build up the SA. The SA will be 0.0.0.0==0.0.0.0. To get multiple of those SAs, you need to know, which device is currently connecting. Therefore a Config with * is invalid. 
 
 Workaround: XG gives you one free DynDNS per Device. Use this DynDNS on XG to have a DNS, which is static and can be used in the VTI config. 
 
 https://community.sophos.com/kb/en-us/123126

FormerMember · Answer

Hi DuS 
 I have confirmed with the internal team that route-based VPN does not support "*" as a remote gateway. 
 Please check out this document for more info: Create a route-based VPN tunnel (BO) ' 
 Thanks,