Skip to content

Policy-based VPN

Policy-based VPNs are IPsec connections that encrypt and encapsulate traffic flowing through the listening interface if the traffic matches the specified local and remote subnets and the corresponding firewall rule.

You can control access to resources through the tunnel based on the source and destination addresses, zones, services, applications, and the users you specify in the firewall rule.

You can configure host-to-host and site-to-site policy-based VPNs from Site-to-site VPN > IPsec.

Sophos Firewall uses a single IPsec interface for all policy-based connections. It establishes individual phase 2 tunnels for each pair of local and remote subnets you specify in the IPsec connection. For example, if you specify two local subnet and two remote subnets, it establishes four tunnels.

You can create site-to-site IPsec connections between two Sophos Firewall devices or between a Sophos Firewall device and a third-party firewall.

Note

You can't select Any for the local and remote subnets using a policy-based VPN.

Don't create a tunnel using a policy-based VPN configuration at one end and a route-based VPN configuration at the other end.

Use cases

Policy-based VPNs require more maintenance than route-based VPNs, particularly when you have many VPN connections. When your network expands, you need to change the network parameters, such as subnets, in the IPsec configuration. This causes established connections to disconnect, and you need to plan for the downtime.

Tip

We recommend using route-based VPNs instead of policy-based VPNs. Route-based VPNs use individual XFRM interfaces for each IPsec connection, making debugging simpler.

You can use policy-based VPNs for the following:

  • Limited number of networks: Use these to connect a small number of networks with limited growth. If you need to establish a large number of VPN connections, we recommend using route-based VPNs.
  • Specific network requirements: Use these tunnels only based on your network requirements. These tunnels require more resources because the firewall creates a phase 2 tunnel for each pair of local and remote subnets.

How to configure a policy-based VPN

To set up a site-to-site policy-based VPN, do as follows:

  1. On the local Sophos Firewall device, go to Site-to-site VPN > IPsec and configure an IPsec connection with Connection type set to Site-to-site.
  2. Specify the NAT setting for overlapping subnets at the local and remote networks.
  3. Add inbound and outbound firewall rules manually or use the Create firewall rule option to create it automatically. To ensure higher levels of security, edit this automatically-created firewall rule and make sure you have independent inbound and outbound rules.
  4. Repeat these steps for the peer Sophos Firewall.