A Policy-Based VPN is an IPsec VPN where the traffic to be encrypted is selected based on policies (rules), typically defined as Access Control Lists (ACLs). 


How It Works:

  1. Policy Creation:
    Define which networks/subnets can communicate securely (e.g., LAN A ↔ LAN B).

  2. Traffic Matching:
    When a packet meets the defined policy, it is encrypted using IPsec protocols. The encryption process uses the chosen Authentication Type and Pre-shared Key (PSK) to secure the connection. This process includes Phase 1 (IKE/ISAKMP), where peers authenticate each other and establish a secure channel using encryption (e.g., 3DES), hash (e.g., MD5), DH key group (e.g., 14/modp2048), and lifetime (e.g., 28,800 seconds). It also includes Phase 2 (ESP), where the actual IP traffic is encrypted and transmitted using the negotiated encryption (e.g., 3DES), hash (e.g., MD5), PFS key group (e.g., 2/modp1024), and lifetime (e.g., 28,800 seconds). This matching process is the same on both local and remote peers—only traffic that meets the policy on both sides is encrypted, transmitted, and accepted.

    • Phase 1(IKE/ISAKMP)

    • Phase 2 (ESP)

  3. Encryption and Transmission:
    Matching traffic is encapsulated and sent to the remote peer

  4. Decryption on Remote Side:
    The receiving peer checks the policy and decrypts the traffic.




Step-by-Step Configuration – Site A  

Steps 1: Go to the Profile Interface section, select Tunnel and click Create Tunnel. 



Steps 2: 

  • Go to IKE Versions details and IPsec Tunnel mode details (Policy based) 

  • Go to Local Network Details, select Default WAN for Gateway mode and allow Local Subnet 

  • Go to Remote Network Details, select Initiator type and Enter the Remote Server IP address (public IP of the peer site). 


  • Specify the Remote Subnet that should be accessible through the tunnel. 

(Note: Site A and Site B use identical IPsec VPN tunnel configurations. Since this setup is for Site A, the Remote IP should be Site B’s public IP address, and the Remote Subnet should be Site B’s local subnet range.)  


  
 

Steps 3: 

  • Go to Authentication details and enter Pre-shared key (Both sides should be same) 

  • Go to Phase 1 and Phase 2 configuration should be same both side. 


  •  


Steps 4: Go to advanced, select Applicable for Gateway and save.


 

 

Step-by-Step Configuration – Site B 

Steps 1: Go to the Profile Interface section, select Tunnel and click Create Tunnel. 


  

Steps 2: 

  • Go to IKE Versions details and IPsec Tunnel mode details (Policy based) 

  • Go to Local Network Details, select Default WAN for Gateway mode and allow Local Subnet 

  • Go to Remote Network Details, select Initiator type and Enter the Remote Server IP address (public IP of the peer site). 


  • Specify the Remote Subnet that should be accessible through the tunnel. 

(Note: Site A and Site B use identical IPsec VPN tunnel configurations. Since this setup is for Site B, the Remote IP should be Site A’s public IP address, and the Remote Subnet should be Site A’s local subnet range.)  

 

 

Steps 3: 

  • Go to Authentication details and enter Pre-shared key (Both sides should be same)

  • Go to Phase 1 and Phase 2 configuration should be same both side. 


  •   

 

Steps 4: Go to advanced, select Applicable for Gateway and save.


 

  

The IPsec tunnel should now be established successfully.  

Device 1 Status:
 

Device 2 Status: