Configuring route-based VPNs
In route-based VPNs, the routing defines which traffic is sent through the VPN tunnel.
Route-Based VPN Tunnel elements represent the endpoints of the tunnel. Tunnel Interfaces allow routing information to be used to determine the correct VPN tunnel to use.
The routing configuration also determines the physical network interfaces on the engine to which the tunnel interfaces are automatically mapped. You can statically define which networks are reachable through each tunnel interface. You can also use dynamic routing to create the routes for traffic to be sent through the VPN tunnels.
When route-based VPN tunnels are in transport mode, the packets are not encapsulated into new IPsec packets. Instead, the original headers of the packet are left intact, and the IP payload of the packet is encrypted. IPsec transport mode is used to encrypt the packets. Other encapsulation, such as generic routing encapsulation (GRE) or IP in IP (IP-IP), must be used to add the tunnel endpoint IP addresses in front of the original packet header.
When route-based VPN tunnels are in tunnel mode, the encryption is provided by a policy-based VPN.
Configuring route-based VPNs consists of these general steps:
- Create a tunnel interface for one end of the VPN.
- Create a tunnel interface for the other end of the VPN.
- Create a Route-Based VPN Tunnel element that references both ends of the VPN.
In the Route-Based VPN Tunnel element, you can select the tunnel type and a VPN Profile to use.
- (Optional) Create Tunnel Groups to group Route-Based VPN Tunnel elements.
Each tunnel can be added to a Tunnel Group element. The groups allow you to organize the tunnels, and you can view the groups in the VPN section in the Home view.
- Create Access rules to allow traffic between the internal network and the networks that are reachable through the route-based VPNs.