This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet Access through Site-to-Site IPSEC Tunnel

Good morning, 

I have a number of sites using Site-to-Site IPSEC tunnels, that terminate with my Sophos XG.  I'd like to start sending the clients Internet Access through the tunnel, but am unsure what the best procedure is with UTM->XG S2S tunnels.

Does anyone out there have any input/experience as to the best way to send a user's Internet traffic through a S2S IPSEC tunnel?

 

Thanks in advance, 

Eric



This thread was automatically locked due to age.
Parents
  • Hallo Eric,

    This is the UTM Community, but my comments here should translate to XG.  I assume you want the traffic behind the UTM to transit the tunnel to get Internet access through the XG.  On the XG side, add "Internet IPv4" to 'Local Networks'.  In the UTM, add "Internet IPv4" to 'Remote Networks'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo Eric,

    This is the UTM Community, but my comments here should translate to XG.  I assume you want the traffic behind the UTM to transit the tunnel to get Internet access through the XG.  On the XG side, add "Internet IPv4" to 'Local Networks'.  In the UTM, add "Internet IPv4" to 'Remote Networks'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thank you for answering my question.

     

    One additional one, if I may.  When adding Internet IPv4 any to the UTM in the Remote Gateway, it causes all Internet traffic to go through IPSEC as you said.  The thing I am trying to figure out now is how does the UTM know to use the WAN interface to re-connect, should the IPSEC connection be broken, and need to be re-established.

    Overall, my concern is that once I add the Internet IPv4 to the remote gateways, that we would be cut off from its WAN interface public IP for webadmin should anything go wrong, and we have no other way to get to it if I think its should route traffic back to our public IP through IPSEC.

     

    Thanks again, 

    Eric

  • You might use the technique described in Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) to use manual Static Interface Routes instead of those created automatically by WebAdmin when you configure an IPsec Connection.  Or you might instead use a RED tunnel with Multipathing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA