Creating policy-based VPN topologies

SMC allows creating and managing VPN tunnels that link networks or sub-networks protected by firewalls. These networks are described in a policy.

Such topologies are used in the standard operating mode.

Firewalls or gateways act as entry and exit points for tunnels and may be:

  • SNS firewalls in at least version 3.7, managed by the SMC server,
  • External peers, meaning SNS firewalls or any other type of VPN gateway not managed by the SMC server.

SMC offers two VPN topologies: mesh or star.

  • Mesh: all remote sites are interconnected,
  • Star: a central site is connected to several satellite sites. Satellite sites do not communicate with one another. The central site must be an SNS firewall managed by the SMC server.

Before configuring your topologies, you must:

  • Create your traffic endpoints beforehand (Network, Host or Group objects) in the Objects menu. For more information, please refer to the section Managing objects.
  • Create Host objects beforehand for your external peers if your topologies include them.
  • if X509 certificate authentication has been selected, import a certificate beforehand for the firewalls that SMC manages and which are included in your topologies, and declare certification authorities beforehand as well. The corresponding procedures are described in the section Configuring a policy-based mesh topology.

In this section, we describe two use case scenarios, a policy-based mesh topology and a policy-based star topology. For further detail on each menu and option for configuring VPN tunnels, refer to the Stormshield Network User Configuration Manual.