Routing single local host internet traffic through remote IPSec tunnel gateway

Hi to all,

I have one UTM 9 at HQ site and one UTM 9 at branch site with IPSec Active tunnel between them.

I would like, only for some specific hosts in HQ site,  to  present themselves on Internet using Branch site WAN IP address instead of HQ wan IP.

It is possible with some SNAT / routing rule? What would be the best way to address it?

 

thank you all

  • Hoi Marcello and welcome to the UTM Community!

    Ideally, this would be done with two separate tunnels - one for the subnet where the specific hosts are and one for all of the other devices.  If you have a LAN that's 172.17.2.0/24, you could change every device's subnet mask to /23 and assign the specific hosts fixed IPs in 172.17.3.0/24. Then, you just add a second tunnel for '{172.17.3.0/24} <--> {remote subnets & Internet IPv4}'.

    Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'.

    Please let us know which method you chose and what drove that decision.

    Cheers- Bob

  • possible a policy-(default) route would work.

    i would try:  policy routes / from:special hosts / to:any(or better needed destinations) / services: any (or known needed) -> Gateway: IPS-Router

  • In reply to dirkkotte:

    Hi dirkkotte, thank for your reply. I read in some other posts that you can't forward packets in VPN tunnels via Policy routing...

    anyway I tried your suggestion because it was a worth and easy try but unfortunately it's seems that it doesn't works...

  • In reply to BAlfson:

    Hi Balfson,

    thank for your reply. I would like to try the second way because unfortunately change subnet is not an option.

    I miss some details on your suggestion. If I create another subnet into Site1 how I can bind it to the local gateway in same site? Do I need to add another interface?

    I'm sorry I can't picture the scenario...

    I also forgot to specify that remote gateway is "respond only" gateway type, don't know if this could impact the scenario

     

    thanks!

  • In reply to Marcello Reggiore:

    "Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'."

    No additional interface required, just an additional site-to-site IPsec tunnel with {172.17.22.0/24} in 'Local Networks', "Internet IPv4" and the remote subnet(s) in 'Remote Networks' and the corresponding configuration at the remote site.  If you aren't using X509 certs (How to create an X509 key based Site-to-Site VPN), you will want to use a different PSK for the second tunnel and select probing of PSKs on the 'Advanced' tab.

    Cheers - Bob

  • In reply to BAlfson:

    Hi BAlfson,

    thanks to your updates now second tunnel is in place, both IPsecs are connected and running, PSK probing activated.

    Now I have: HQ Subnet : 192.168.46.x/24, Remote Subnet 192.168.44.x/24 and a single test client (just temporary instead of Phantom Net) with ip 192.168.46.105

    Now (I'm hard-witted) the unclear part is the SNAT rule, the single test host still going to internet on HQ gateway....

    Any other advice?

    Thanks!

  • In reply to Marcello Reggiore:

    I can't "see" this, Marcello.  Please show pictures of the Edits of the IPsec Connection and the Remote Gateway for both IPsec tunnels.

    Cheers - Bob

  • In reply to Marcello Reggiore:

    Ik would agree with dirkkotte that (policy) routing is probably the issue.

    With (IPSec) VPN tunnels you can connect all local networks attached to both UTM's (provided that you enter them in the local networks list of the connection). However, access to the internet will still be done through the default gateway of each UTM, so your HQ machines will be routed through the WAN interface of the HQ, unless you redirect the traffic of the specific server(s) trough the tunnel to the WAN interface of the other UTM.

    Instead of policy routes / from:special hosts / to:any(or better needed destinations) / services: any (or known needed) -> Gateway: IPS-Router  on the HQ UTM as dirkkotte suggested, I would try  policy routes / from:special hosts / to:internet / services: any (or known needed) -> Gateway: IPS-Router on the HQ UTM as this would limit the route to traffic going to the WAN interface instead of any.

    You mentioned that it seems that this doesn't work. Can you elaborate on how you came to this conclusion, eg traceroute ? 

    Also important would be that either the SNAT rule on the branch UTM would have the 'automatic firewall rule' checked or, preferably, you would create a firewall rule on the branch UTM allowing the desired traffic to go out.

    If Policy routing wont go through the VPN tunnel, I believe static routing (gateway route from special hosts to IPS-Router) could also work. In this scenario you would have to create the necessary firewall rules.

    Regards,

     

    Karl-Heinz

     

  • In reply to BAlfson:

    Hi Bob, 

    Unfortunately at the moment I had to remove second tunnel since it caused some sort of issues to normal connectivity so to avoid user impact I had to restore initial configuration. 

    For sure I have misunderstood instructions but I think I have to leave original config to avoid other services disruption.

    At the moment I "worked around" by activating proxy server on remote gateway and setting up specific hosts to use it to access internet.

    BTW I really like to understand how to implement it in the right way, as soon as possible I will post screenshot of tunnel in place.

    Thanks again for your help

  • In reply to Karl-Heinz van Hardeveld:

    Hi Karl,

    thank you for partecipating and for your kind reply.

    I tried several policy routes as you suggested, both with Group of specific hosts as well as a single test host. When I activate the policy routes the internet services goes down, destinations become unreachable. Tracert become unreachable as well at first hop. It seems that for any reason packets can't be routed into existing VPN tunnels.

    On the other side, as I said to Bob in the above post I can use remote gateway using proxy service and in this way at least internet browsing route through the needed route.

    Don't know how to implement in the correct way so that whole internet traffic route through vpn, and this only for a specific subnet or Group of hosts...

     

    Thank you !

     

    MR

  • In reply to Marcello Reggiore:

    Hi Marcello,

    Hmm, I'm curious as to your exact configuration. As I am afraid that this question may come up in my configuration in the future, I wanted to know for sure why things did not work or how to get them work.

    By the power of virtualization, I've created a test setup. This setup is very simple, but I think it represents your question.

    I've installed two UTM's with two interfaces, one WAN and one internal.

    Both UTM's have the same default gateway in this setup (I've only got one internet connection here at home), but I don't think this influences the result.

    My simple setup for UTM-1:

    I created a firewall rule any <->any

    I masqueraded the internal network to WAN:

    Now I've got a Windows server on the internal network, ip address 192.168.5.10, gateway 192.168.5.1, dns 8.8.8.8. I've got another server, ip address 192.168.5.20 gateway 192.168.5.1, dns 8.8.8.8.

    this works, eg tracert to this forum:

    So this is your HQ server so to speak.

    Now I've got a second UTM, UTM-2 with this simple setup:

    I created a firewall rule any <->any

    I masqueraded the internal network to WAN:

    In this network, Ive also got a server ip address 192.168.6.10, gateway 192.168.6.1, dns 8.8.8.8

    this also works, eg tracert to this forum:

    I've created a simple IPSEC connection between the two UTM's:
    First gateway definition on UTM-1:

    and gateway definition on UTM-2:

    In this example both gateways are initiate connection, but this is not mandatory.

    Then I create the connection on UTM-1:

    and on UTM-2:

    Enable the connection and I've got a VPN between the two UTM systems:

    I can test this by pinging the Windows host on the other end.

    Without VPN from Host 1 (HQ):

    with VPN from host 1 (HQ):

    So now back to your question, how to route traffic from Host 1 (HQ) through UTM-2 to the outside world.

    As shown before, traceroute from this host goes through UTM-1.

    I've created a gateway policy route bound to the Intern interface of UTM-1, with the HQ host as Source Network for any service going to IPv4 internet to be sent to the Intern interface of UTM-2 :

    If I enable this rule and I do a traceroute from Host 1 (HQ), I now get a different path:

    As you can see the traffic is now  routed through UTM-2. 

     

     The same traceroute from the other host in the HQ network that is not part of the gateway policy route shows the 'normal' path:

     

    As my own 'home' UTM is the gateway to the internet, I checked the results in my firewall log by going to a simple website with one ip address to see if the source address did change. Strangely enough it did not, although a TCP dump from the console on UTM-2 did show that the traffic was going out of UTM-2 and not UTM-1.

    In the end I did something counter-intuitive and created the following SNAT rule on UTM-2 (your branch office so to speak):

    This seems to work:

    Remember, in both cases, the HQ machine (192.168.5.10) was the one creating the web request.

    So the external address from UTM-1 was SNATted to the external address of UTM-2. This one I cannot really explain, but probably this is due to the fact that both UTM's have an external address in the same subnet. To be sure I would have to test with two separate external addresses. I haven't got access to such a config yet, but will try to get it. As soon as I do, I will post the final result.

     

    So according to this simulation it should be possible to route one specific host (or network group of hosts) through a VPN tunnel to an external address.

    I don't know if this answer will still be helpful for you, as Bob has provided a solution that has proven to work in your situation. But it has been fun figuring this out and hopefully someone can use this info :)

     

    Best Regards,

     

    Karl-Heinz

  • In reply to Karl-Heinz van Hardeveld:

    Hi Karl-Heinz,

    thank you so much for your real commitment to the post :-)

    More or less our environment is likely your virtual test environment, except we have hardware appliances and two different internet connections.

    here is our tunnel 

    and I can ping both gateway from each site as well.

    I have a test host WS10 that can browse internet:

    So I create Policy route:

     

    When active internet become unreachable:

    Even with SNAT rule on remote site:

    Tried with automatic firewall rules and by check "Rule applies to IPSec Packets" box

    same result ... Internet Unreachable

    Seeing this I have to agree with Bob that for some reason policy routes do not apply to IPsec tunnel...

  • In reply to Marcello Reggiore:

    Hi Marcello,

    Some questions just to be sure (since we now have both a working policy route through IPSEC and a non-working policy route through IPSEC):

    Is the RemoteIPSEC gateway the LAN/Internal adapter on your branch UTM? It's the only difference I can think of for now between your environment and the VM test environment

    Can the WS10 host ping IP adresses in de branch LAN if the policy route is not active? In my test environment I accepted the Remote LAN for each connection and offered the local LAN.

     

    Regards,

    Karl-Heinz

  • In reply to Karl-Heinz van Hardeveld:

    Hi Karl-Heinz,

    yes to both questions, UTM are gateways of the sites and I can ping host in the other site from any of the hosts, when the route policy is active the host become unresponsive..

    Regards

    MR

  • In reply to Marcello Reggiore:

    Keep in mind the security associations here, you are not doing host -> ANY in the ipsec tunnel but specific networks / hosts to eachother. 

    IPSEC would drop all traffic that doesn't match the security association. 

    You can get around this for inbound traffic by doing a Full NAT on the remote gateway that changes the source to go through the tunnel and hit the site on the other side. 

    Something like:

    For traffic from ANY host

    Using service: whatever service

    Going to: External of UTMgateway2

    Change destination to:  Webserver IP across the tunnel

    Change source to: Interface IP of this side of the tunnel

    Check rule applies to IPSEC packets.