Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 240 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S IPSEC - Policy based and Routing based

Michael Wallis

Hi All,

We have Head Office with 6 Branch Offices. Each Branch office is connected to the Head Office via a Policy Based IPSEC S2S VPN. The head office and branch offices all have 4G backup internet. Hence, this requires 4 tunnels per branch office to cover all possible configurations. We have actually managed to reduce this to 2 tunnels per BO by using DynDNS.

I would like to implement Route Based IPSEC tunnels and then implement SD-WAN policies to route over these using an latency based policy - the tunnel with the lowest latency will be chosen.

I remember seeing something in the past that stated that you should not run both Policy based and Route based VPNs on the same system. I am not sure if this meant on the same Sophos Firewall, or you shouldn't try to connect a route based vpn to a policy based vpn.

Can I can setup Route Based VPNs for 1 of the Branch Office sites and leave the other Branch Offices on policy based VPNs? - this means that the Head Office firewall will be running both Route based and Policy Based VPNs.

Thanks for your time.

Regards

Mike



This thread was automatically locked due to age.
  • 0

    Hello Mike,

    Good day and thanks for reaching out to Sophos Community

    Kindly refer to this comparison doc guide on Policy-based and Route-based VPN: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicyAndRouteBased/index.html

    You may also refer to each use cases and other details individually: 

    Policy-Based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicybased/index.html

    Route-based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNRoutebased/index.html

    And yes it is not recommended to create a tunnel using policy-based VPN configuration at one end and a route-based VPN configuration at the other end as per the above doc guide.

    Further, as I understand it you plan to utilize using SDWAN features, here are the summary of RBVPN favoring your use case/setup. In RBVPNs you are able to:

    - SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications.

    -SD-WAN policy routing with backup gateway configuration provides redundant routes.

    -When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an xfrm interface or an MPLS connection.

    Also, this seems to be an implementation activity, I may recommend you also to reach out for further guidance to your local Sophos Partner/ Sophos SE or if you would want to opt for Sophos Professional Services. 

    Hope this helps you on your use case. Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi Raphael,

    Thanks for all of the great information. I have reviewed the documentation you linked to and, in fact, I have a full test rig set up in a virtualized environment. It comprises one Sophos Firewall acting as 4 ISP connections with 2 connections to a Head office Sophos Firewall and 2 connections to a Branch office Sophos Firewall using Route based VPNs. This way I can "switch off" (or apply QOS) to various connections on the ISP Firewall and watch the Head Office and Branch Office firewalls failover between connections and switch between VPNs automatically.

    This all works really well and showed me all of the technical aspects of getting the xfrms interfaces setup, creating gateways, SDWAN policies, etc.

    To deploy the new configuration, we would like to know if we can do one Branch office at a time. This would mean that after we setup the first branch office, the Head Office Sophos Firewall will be running Policy based VPNs to 5 sites and Route based VPN to the newly configured Branch Office.

    To simplify the question, can a Sophos Firewall run a Route based S2S VPN to one site and Policy based S2S VPN to another site?

    Thanks For your help

    Regards

    Mike

  • +1 in reply to Michael Wallis

    can a Sophos Firewall run a Route based S2S VPN to one site and Policy based S2S VPN to another site?
    No, either it policy base on both the sides or route base on both the sides for the same tunnel. 
    You may run two different tunnel i.e. one route base and another policy base !   

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML