Introduction

Product concerned: SNS 2.1 and higher versions

Last update: November 2016

Version 2.x of the Stormshield Network firewall firmware offers the possibility of implementing routed IPSec VPN tunnels. Routing instructions (static or dynamic routing defined by the filter policy) instead of the information defined in the Security Policy Database (SPD) is now used to determine whether packets need to go through this IPSec tunnel.

When defining a routed IPSec tunnel, virtual interfaces act as traffic endpoints. There is no longer the need to specify remote networks in the IPSec policy.

The combined use of router objects and routed tunnels in filter rules therefore allows implementing several types of configurations.

Failover

When a link fails, traffic (encrypted or unencrypted) going through an MPLS network for example, can now be redirected to a backup VPN tunnel set up between sites via the Internet.

Load balancing

Router objects allow in particular implementing load balancing on several Internet access gateways. Load balancing by type of traffic can also be configured using instructions for routing packets to differentiated IPSec tunnels.

Quality of Service (QoS)

The value of the DSCP (Differentiated Services Code Point) field assigned to IP packets makes it possible to direct them to differentiated IPSec tunnels based on the routing instructions defined.

Securing unencrypted traffic

Unencrypted traffic (e.g.: HTTP) can therefore be secured using an IPsec tunnel based on routing, whereas encrypted traffic (HTTPS) going to the same server does not go through a tunnel.