Routing single local host internet traffic through remote IPSec tunnel gateway

Hi to all,

I have one UTM 9 at HQ site and one UTM 9 at branch site with IPSec Active tunnel between them.

I would like, only for some specific hosts in HQ site,  to  present themselves on Internet using Branch site WAN IP address instead of HQ wan IP.

It is possible with some SNAT / routing rule? What would be the best way to address it?

 

thank you all

  • In reply to Marcello Reggiore:

    You guys might both be interested in considering Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  All of the screens are in English, Marcello, so even if you don't read German, you should find the article accessible.

    Cheers - Bob

  • In reply to BAlfson:

    Just a quick update on how I work arounded finally the question. I created a RED tunnel and bridged a new interface in HQ UTM to it. Then I connected a little router WIFI to the bridged interface. When people from branch office come to HQ with their laptops, they connect to the bridged WiFi so they can continue to access internet presenting Branch Office WAN IP,  mantaining their accesses on cloud resources.

    A big thank to all, every ideas and suggestions came from this community 

  • In reply to BAlfson:

    Just a follow up on this as I am setting up a similar setup right now - Do i need to actually have two separate tunnels/gateways/connections created? I'm not understanding how this segregates the traffic whether they are listed as separate networks within the tunnel or separate VPN connections/tunnels? 

  • If all that's fine, then also check that your local firewall is configured to route traffic to through the right interface. Finally try to run e.g. tracert <remote vm ip> and see what it returnsupsers.

  • In reply to Aaron Becker:

    Not sure what you mean by "a similar setup," Aaron.

    Cheers - Bob

  • In reply to BAlfson:

    Similar setup in the sense that I have a branch office and a HQ and trying to route all the internet bound traffic for a subnet to another site for an exit point.

    I tried with the policy based route which breaks the connection and doesn’t work / nothing pings or routes.

    If I try adding 0.0.0.0 to the IPSec tunnel - the tunnel doesn’t establish.

    My question I poorly worded last night was - do I need two entirely independent tunnel connections or just the subnets to be listed separately in the local/remote networks on either side respectively ?

  • In reply to Aaron Becker:

    Show us pictures of the Edits of the IPsec Connection and Remote Gateway for both sides and tell us if/where Web Filtering is being done - the exit point site or not or both.

    Cheers - Bob