Creating policy-based VPN topologies

In SMC, you can create and manage VPN tunnels that link firewall-protected networks or sub-networks, which are described in a policy.

Such topologies are used in the standard operating mode.

Firewalls or gateways act as entry and exit points for tunnels and may be:

  • SN firewalls in at least version 3.0, managed by the SMC server,
  • External peers, meaning SN firewalls or any other type of VPN gateway not managed by the SMC server.

SMC offers two VPN topologies: mesh or star.

  • Mesh: all remote sites are interconnected,
  • Star: a central site is connected to several satellite sites. Satellite sites do not communicate with one another. The central site must be an SN firewall managed by the SMC server.

Before configuring your topologies, you must:

  • Create your traffic endpoints beforehand (Network, Host or Group) in the Network objects menu. For more information, please refer to the section Managing network objects.
  • Create Host objects beforehand for your external peers if your topologies include them.
  • if X509 certificate authentication has been selected, import a certificate beforehand for your firewalls managed by SMC included in your topologies and declare certification authorities beforehand as well. The corresponding procedures are described in the section Configuring a policy-based mesh topology.

In this section, we describe two use case scenarios, a policy-based mesh topology and a policy-based star topology. For further detail on each menu and option for configuring VPN tunnels, refer to the Stormshield Network User Configuration Manual.