S2S IPSEC - Policy based and Routing based

Hello Mike,

Good day and thanks for reaching out to Sophos Community

Kindly refer to this comparison doc guide on Policy-based and Route-based VPN: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicyAndRouteBased/index.html

You may also refer to each use cases and other details individually: 

Policy-Based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicybased/index.html

Route-based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNRoutebased/index.html

And yes it is not recommended to create a tunnel using policy-based VPN configuration at one end and a route-based VPN configuration at the other end as per the above doc guide.

Further, as I understand it you plan to utilize using SDWAN features, here are the summary of RBVPN favoring your use case/setup. In RBVPNs you are able to:

- SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications.

-SD-WAN policy routing with backup gateway configuration provides redundant routes.

-When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an xfrm interface or an MPLS connection.

Also, this seems to be an implementation activity, I may recommend you also to reach out for further guidance to your local Sophos Partner/ Sophos SE or if you would want to opt for Sophos Professional Services. 

Hope this helps you on your use case. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Hello Mike,

Good day and thanks for reaching out to Sophos Community

Kindly refer to this comparison doc guide on Policy-based and Route-based VPN: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicyAndRouteBased/index.html

You may also refer to each use cases and other details individually: 

Policy-Based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicybased/index.html

Route-based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNRoutebased/index.html

And yes it is not recommended to create a tunnel using policy-based VPN configuration at one end and a route-based VPN configuration at the other end as per the above doc guide.

Further, as I understand it you plan to utilize using SDWAN features, here are the summary of RBVPN favoring your use case/setup. In RBVPNs you are able to:

- SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications.

-SD-WAN policy routing with backup gateway configuration provides redundant routes.

-When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an xfrm interface or an MPLS connection.

Also, this seems to be an implementation activity, I may recommend you also to reach out for further guidance to your local Sophos Partner/ Sophos SE or if you would want to opt for Sophos Professional Services. 

Hope this helps you on your use case. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Hi Raphael,

Thanks for all of the great information. I have reviewed the documentation you linked to and, in fact, I have a full test rig set up in a virtualized environment. It comprises one Sophos Firewall acting as 4 ISP connections with 2 connections to a Head office Sophos Firewall and 2 connections to a Branch office Sophos Firewall using Route based VPNs. This way I can "switch off" (or apply QOS) to various connections on the ISP Firewall and watch the Head Office and Branch Office firewalls failover between connections and switch between VPNs automatically.

This all works really well and showed me all of the technical aspects of getting the xfrms interfaces setup, creating gateways, SDWAN policies, etc.

To deploy the new configuration, we would like to know if we can do one Branch office at a time. This would mean that after we setup the first branch office, the Head Office Sophos Firewall will be running Policy based VPNs to 5 sites and Route based VPN to the newly configured Branch Office.

To simplify the question, can a Sophos Firewall run a Route based S2S VPN to one site and Policy based S2S VPN to another site?

Thanks For your help

Regards

Mike

can a Sophos Firewall run a Route based S2S VPN to one site and Policy based S2S VPN to another site?
No, either it policy base on both the sides or route base on both the sides for the same tunnel. 
You may run two different tunnel i.e. one route base and another policy base !  Michael Wallis