Creating route-based VPN topologies

In route-based VPN tunnels, traffic is routed via IPsec VTIs to link SNS firewalls that the SMC server manages, as well as networks and hosts protected by these firewalls.

These IPsec VTIs act as the traffic endpoints of tunnels, and all packets routed to these interfaces are then encrypted. This traffic is described by routes in a routing table or by policy-based routing (PBR) filter rules.

The following are some of the advantages of route-based VPN topologies:

  • Routing by IPsec VTIs takes priority over a policy match in standard IPsec tunnels.
  • They require fewer tunnels than in a standard IPsec topology. Only one tunnel is needed between two firewalls, regardless of the number of networks that the firewall protects.

NOTE
Route-based topologies cannot include external peers, i.e., SNS firewalls or any other type of VPN gateway not managed by the SMC server.

From the SMC server, you can:

  • Create route-based VPN topologies,

  • Monitor these topologies,

  • Define filter rules. SMC automatically generates VTI objects that represent peers in the topology, which can be used in these rules,

  • Configure static routes and return routes if necessary and/or enable dynamic routing.

Virtual IPsec interfaces (VTI) are automatically created on firewalls with network configurations that SMC manages. These interfaces are listed in the IPsec interfaces (VTI) tab in a firewall's settings. For further information, refer to the section Configuring IPsec interfaces (VTI).

If the topology contains firewalls with network configurations that SMC does not manage, you must manually create virtual IPsec interfaces on each firewall. The Network managed by SMC column during the selection of peers for a topology indicates whether the network configuration of the firewall is managed by SMC.

For more information, see the next sections.

NOTE
Modifying a route-based VPN topology may cause changes on associated virtual IPsec interfaces. For further information, refer to the section Configuring IPsec interfaces (VTI).

SMC offers two VPN topologies: mesh or star.

  • Mesh: all remote sites are interconnected,
  • Star: a central site is connected to several satellite sites. Satellite sites do not communicate with one another.

If X509 certificate authentication is selected, prior to configuring your topologies, you must import a certificate for all the firewalls in your topologies that SMC manages, and also declare certification authorities. The corresponding procedures are described in the section Configuring a policy-based mesh topology.

In this section, we describe the configuration of a route-based mesh topology and the configuration of a route-based star topology. For further detail on each menu and option for configuring VPN tunnels, refer to the Stormshield Network User Configuration Manual.

For further information on setting up IPsec VTIs on firewalls, refer to the relevant Technical note.

NOTE
Comments associated with IPsec interfaces created by SMC are generated from the names of the topology and of peers. If comments exceed 127 characters, they will be truncated. The same applies to comments for host VTI objects if they exceed 255 characters.