S2S IPSEC - Policy based and Routing based

Question

Hi All, 
 We have Head Office with 6 Branch Offices. Each Branch office is connected to the Head Office via a Policy Based IPSEC S2S VPN. The head office and branch offices all have 4G backup internet. Hence, this requires 4 tunnels per branch office to cover all possible configurations. We have actually managed to reduce this to 2 tunnels per BO by using DynDNS. 
 I would like to implement Route Based IPSEC tunnels and then implement SD-WAN policies to route over these using an latency based policy - the tunnel with the lowest latency will be chosen. 
 I remember seeing something in the past that stated that you should not run both Policy based and Route based VPNs on the same system. I am not sure if this meant on the same Sophos Firewall, or you shouldn't try to connect a route based vpn to a policy based vpn. 
 Can I can setup Route Based VPNs for 1 of the Branch Office sites and leave the other Branch Offices on policy based VPNs? - this means that the Head Office firewall will be running both Route based and Policy Based VPNs. 
 Thanks for your time. 
 Regards 
 Mike

Vivek Jagad · Accepted Answer

can a Sophos Firewall run a Route based S2S VPN to one site and Policy based S2S VPN to another site?
No, either it policy base on both the sides or route base on both the sides for the same tunnel.
You may run two different tunnel i.e. one route base and another policy base ! Michael Wallis

Raphael Alganes · Answer

Hello Mike, 
 Good day and thanks for reaching out to Sophos Community 
 Kindly refer to this comparison doc guide on Policy-based and Route-based VPN: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicyAndRouteBased/index.html 
 You may also refer to each use cases and other details individually: 
 Policy-Based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNPolicybased/index.html 
 Route-based: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNRoutebased/index.html 
 And yes it is not recommended to create a tunnel using policy-based VPN configuration at one end and a route-based VPN configuration at the other end as per the above doc guide. 
 
 Further, as I understand it you plan to utilize using SDWAN features, here are the summary of RBVPN favoring your use case/setup. In RBVPNs you are able to: 
 - SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications. 
 -SD-WAN policy routing with backup gateway configuration provides redundant routes. 
 -When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an xfrm interface or an MPLS connection. 
 Also, this seems to be an implementation activity, I may recommend you also to reach out for further guidance to your local Sophos Partner/ Sophos SE or if you would want to opt for Sophos Professional Services. 
 Hope this helps you on your use case. Many thanks for your time and patience and thank you for choosing Sophos 
 Cheers,

S2S IPSEC - Policy based and Routing based

Top Replies