Creating route-based VPN topologies

In route-based VPN tunnels, traffic is routed via IPSec VTIs to link SN firewalls that the SMC server manages, as well as networks and hosts protected by these firewalls.

Firewalls must be in at least version 3.3.

These IPSec VTIs act as the traffic endpoints of tunnels, and all packets routed to these interfaces are then encrypted. This traffic is described by routes in a routing table or by policy-based routing (PBR) filter rules.

The following are some of the advantages of route-based VPN topologies:

  • Routing by IPSec VTIs takes priority over a policy match in standard IPSec tunnels.
  • They require fewer tunnels than in a standard Ipsec topology. Only one tunnel is needed between two firewalls, regardless of the number of networks that the firewall protects.

Route-based topologies cannot include external peers, i.e., SN firewalls or any other type of VPN gateway not managed by the SMC server.

From the SMC server you can

On every firewall in the topology, you must then

Create route-based VPN topologies Create IPSec virtual tunnel interfaces (VTI)
Monitor these topologies Configure static routes if necessary
Define filter rules. SMC automatically generates VTI objects that represent peers in the topology, which can be used in these rules. Configure return routes if necessary
For more information, see the next sections.


SMC offers two VPN topologies: mesh or star.

  • Mesh: all remote sites are interconnected,
  • Star: a central site is connected to several satellite sites. Satellite sites do not communicate with one another.

If X509 certificate authentication is selected, prior to configuring your topologies, you must import a certificate for all the firewalls in your topologies that SMC manages, and also declare certification authorities. The corresponding procedures are described in the section Configuring a policy-based mesh topology.

In this section, we describe the configuration of a route-based mesh topology and the configuration of a route-based star topology. For further detail on each menu and option for configuring VPN tunnels, refer to the Stormshield Network User Configuration Manual.

For further information on setting up IPSec VTIs on firewalls, refer to the relevant Technical note.