This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing single local host internet traffic through remote IPSec tunnel gateway

Hi to all,

I have one UTM 9 at HQ site and one UTM 9 at branch site with IPSec Active tunnel between them.

I would like, only for some specific hosts in HQ site,  to  present themselves on Internet using Branch site WAN IP address instead of HQ wan IP.

It is possible with some SNAT / routing rule? What would be the best way to address it?

 

thank you all



This thread was automatically locked due to age.
  • Hoi Marcello and welcome to the UTM Community!

    Ideally, this would be done with two separate tunnels - one for the subnet where the specific hosts are and one for all of the other devices.  If you have a LAN that's 172.17.2.0/24, you could change every device's subnet mask to /23 and assign the specific hosts fixed IPs in 172.17.3.0/24. Then, you just add a second tunnel for '{172.17.3.0/24} <--> {remote subnets & Internet IPv4}'.

    Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'.

    Please let us know which method you chose and what drove that decision.

    Cheers- Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • possible a policy-(default) route would work.

    i would try:  policy routes / from:special hosts / to:any(or better needed destinations) / services: any (or known needed) -> Gateway: IPS-Router


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi dirkkotte, thank for your reply. I read in some other posts that you can't forward packets in VPN tunnels via Policy routing...

    anyway I tried your suggestion because it was a worth and easy try but unfortunately it's seems that it doesn't works...

  • Hi Balfson,

    thank for your reply. I would like to try the second way because unfortunately change subnet is not an option.

    I miss some details on your suggestion. If I create another subnet into Site1 how I can bind it to the local gateway in same site? Do I need to add another interface?

    I'm sorry I can't picture the scenario...

    I also forgot to specify that remote gateway is "respond only" gateway type, don't know if this could impact the scenario

     

    thanks!

  • "Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'."

    No additional interface required, just an additional site-to-site IPsec tunnel with {172.17.22.0/24} in 'Local Networks', "Internet IPv4" and the remote subnet(s) in 'Remote Networks' and the corresponding configuration at the remote site.  If you aren't using X509 certs (How to create an X509 key based Site-to-Site VPN), you will want to use a different PSK for the second tunnel and select probing of PSKs on the 'Advanced' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    thanks to your updates now second tunnel is in place, both IPsecs are connected and running, PSK probing activated.

    Now I have: HQ Subnet : 192.168.46.x/24, Remote Subnet 192.168.44.x/24 and a single test client (just temporary instead of Phantom Net) with ip 192.168.46.105

    Now (I'm hard-witted) the unclear part is the SNAT rule, the single test host still going to internet on HQ gateway....

    Any other advice?

    Thanks!

  • I can't "see" this, Marcello.  Please show pictures of the Edits of the IPsec Connection and the Remote Gateway for both IPsec tunnels.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ik would agree with dirkkotte that (policy) routing is probably the issue.

    With (IPSec) VPN tunnels you can connect all local networks attached to both UTM's (provided that you enter them in the local networks list of the connection). However, access to the internet will still be done through the default gateway of each UTM, so your HQ machines will be routed through the WAN interface of the HQ, unless you redirect the traffic of the specific server(s) trough the tunnel to the WAN interface of the other UTM.

    Instead of policy routes / from:special hosts / to:any(or better needed destinations) / services: any (or known needed) -> Gateway: IPS-Router  on the HQ UTM as dirkkotte suggested, I would try  policy routes / from:special hosts / to:internet / services: any (or known needed) -> Gateway: IPS-Router on the HQ UTM as this would limit the route to traffic going to the WAN interface instead of any.

    You mentioned that it seems that this doesn't work. Can you elaborate on how you came to this conclusion, eg traceroute ? 

    Also important would be that either the SNAT rule on the branch UTM would have the 'automatic firewall rule' checked or, preferably, you would create a firewall rule on the branch UTM allowing the desired traffic to go out.

    If Policy routing wont go through the VPN tunnel, I believe static routing (gateway route from special hosts to IPS-Router) could also work. In this scenario you would have to create the necessary firewall rules.

    Regards,

     

    Karl-Heinz

     

  • Hi Bob, 

    Unfortunately at the moment I had to remove second tunnel since it caused some sort of issues to normal connectivity so to avoid user impact I had to restore initial configuration. 

    For sure I have misunderstood instructions but I think I have to leave original config to avoid other services disruption.

    At the moment I "worked around" by activating proxy server on remote gateway and setting up specific hosts to use it to access internet.

    BTW I really like to understand how to implement it in the right way, as soon as possible I will post screenshot of tunnel in place.

    Thanks again for your help

  • Hi Karl,

    thank you for partecipating and for your kind reply.

    I tried several policy routes as you suggested, both with Group of specific hosts as well as a single test host. When I activate the policy routes the internet services goes down, destinations become unreachable. Tracert become unreachable as well at first hop. It seems that for any reason packets can't be routed into existing VPN tunnels.

    On the other side, as I said to Bob in the above post I can use remote gateway using proxy service and in this way at least internet browsing route through the needed route.

    Don't know how to implement in the correct way so that whole internet traffic route through vpn, and this only for a specific subnet or Group of hosts...

     

    Thank you !

     

    MR