This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec subnet route precedence

Hello.

I have a "simple" issue:

i need to build two ipsec tunnels in which the destination is the same subnet, so my question is about the route precedence in case i make a more narrow tunnel(or even a host tunnel) on one side to solve this.

for example:

one tunnel has 192.168.0.0/24

second tunnel i make it with 192.168.0.22/32

in normal routing, the more narrow route takes precedence over all others(and i do have several other pptp s2s that overlap with ipsec like this, but none with 2 ipsec tunnels), but ¿what happens with ipsec?

 

do i make both ipsec tunnels with "bind to local" and then policy route ONLY the host .22 on the 2nd tunnel?(for example, if it where only one host)



This thread was automatically locked due to age.
Parents
  • Hola Mast,

    Are these two tunnels to be defined on different interfaces?  If so, then I believe you are right that the solution is Interface Policy Routes with 'Bind to local interface'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    no, the tunnels are defined on the same LAN interface(and the same external IP but that's not relevant) and they both must end there on that subnet as well

  • I learned recently that one cannot use Gateway Routes with IPsec Connections bound to the interface - Interface Routes are required.  So, if I understand what you want to do, you cannot do it.

    Let's approach this from the problem end instead of the solution end.  Show us the Edits of the Routes that didn't work.  What motivated this attempt?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I learned recently that one cannot use Gateway Routes with IPsec Connections bound to the interface - Interface Routes are required.  So, if I understand what you want to do, you cannot do it.

    Let's approach this from the problem end instead of the solution end.  Show us the Edits of the Routes that didn't work.  What motivated this attempt?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data