This article describes the steps to enable connectivity to the non-connected subnets (in LAN or DMZ zone) of WAF server, also happen to be the IPSec gateway, to the remote Web Server via Site to Site IPSec connection.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Configure WAF by referring to Sophos XG Firewall: WAF configuration guide.
Configure the IPsec site to site by referring to Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
Once the configuration is set, you would need to check if the XG Firewall's physical interface IP address on the LAN/DMZ is included in the IPsec allowed networks.
Because, by default, the connection from WAF server (XG Firewall on Site B) to Web Server (behind XG Firewall on Site A) would be routed through the WAN interface IP, which is not routed trough the IPsec connection, you need to add the XG Firewall's LAN/DMZ IP address (192.168.0.1) to the allowed networks in the IPsec connection, so it would add this IP address in the IPsec route and use it as a source IP to connect to the Web Server via the IPsec connection.
To verify which IP address is used to communicate with the Web Server from XG Firewall in site B (where the WAF is configured), run the following command in the Advance Shell.
ip route get <Web-server address>
In this example scenario, the Web Server's IP is 192.168.4.10 and 192.168.0.1 is the LAN interface IP on the WAF configured XG Firewall on site B.
ip route get 192.168.4.10
The output is:
192.168.4.10 dev ipsec0 table 220 src 192.168.0.1 uid 0
Otherwise if the local interface IP is not added to the allowed network for IPsec connection, then the route will point to the WAN interface IP which is not routed through the IPsec.
The output is:
192.168.4.10 dev ipsec0 table 220 src 22.214.171.124 uid 0
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.