Configuring a route-based star topology

Depending on which authentication type you choose to secure your topology, there may be operations you must perform before creating the topology.

Follow the steps below to create a route-based VPN topology:

  1. In Configuration > VPN Topologies, click on Add a VPN topology at the top of the screen and select Star.
    button Add a VPN topology
  2. In the window that opens, select Route-based VPN and click on Create the topology.
  3. Enter a name. A description is optional.
  4. Choose the authentication type in the next step.
  5. Select the encryption profile. The SMC server offers three pre-configured profiles. Create customized profiles in Configuration > Encryption profiles. Refer to the Stormshield Network User Configuration Manual for more information on encryption profile options.
  6. If you need to edit the default network pool for IPSec VTIs, expand the Advanced properties section. For more information on the VTI network pool field, refer to the section Editing the VTI network pool.Field VTI network pool
  7. Choose the center of your topology. It will then show a star icon in the list of firewalls below, and the firewall will appear in bold.
  8. If needed, check the option Do not initiate the tunnels (Responder-only) if the IP address of the center of the topology is dynamic. Only the peers will then be able to mount the VPN tunnel. This option is available from the version 3.6.0 of the SN firewalls.
  9. Select your topology peers. You can only select connected or offline firewalls, and in at least version 3.3.
  10. In the next step, double-click on the line of a firewall to open the Peers and VTI window:
  11. Click on Apply to close the window.
  12. Click on Apply again at the end of step 4/4 to generate the topology.
  13. SMC then suggests that you download the .csv file to configure IPSec interfaces. This file contains the information you need to create interfaces on every firewall in the topology. Refer to the section Defining IPSec VTIs on SN firewalls for further information.
  14. Deploy the configuration on the firewalls in the topology. The VPN configuration belongs to the firewall's global policy.

Your topology is still not operational at this stage. Follow the instructions in Defining IPSec VTIs on SN firewalls and Defining the traffic routing policy to complete the process of setting up a route-based VPN topology.