This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to make Destination IPs, which are both IPSec VPN hosts and available through fibre connections alternative routes?

Hi

I am a little stumped about how to create alternative routes for a group of IP addresses, that are reachable through two ways:

1. They are host IPs defined in an IPSEC VPN, setup on the Sophos UTM 9,

2. They are available through a route on a Cisco router, that is on the same internal subnet as the Sophos.

The home network server IPs use the Sophos as their gateway IP to everywhere.

Please what is the best means of making the destination IPs reachable to the server network through the VPN and the Cisco device at the same time (alternative routes)?

Diagram below:

 



This thread was automatically locked due to age.
Parents
  • You are more of an artist than I!


    Replace the current 'IPsec Connection' with a new one with the "(Network)" objects for the 192.168.2.0/24 and 10.1.1.0/24 LANs in 'Local Networks'.  Select 'Automatic Firewall Rules'.  If you want the VPN to be the sole path for traffic from the UTM, save the configuration.  If you want to use Static Routes to manage where which path the traffic takes, select 'Bind tunnel to local interface' before you save.

    Although the following article is in the UTM Wiki in German, all of the pictures are of WebAdmin in English: Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  You don't need to build the second tunnel, just use a lower priority route via 192.168.2.250 if you want the primary route to be via the VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the compliment!

    One problem though, if I change the Network object from External to an object for the local networks, its going to break the VPN configuration with the other side, they're expecting to see just one IP (the External (WAN) object.)

Reply Children
  • I suspected that.  In order to get the traffic into the tunnel, you must SNAT it from "External (Address)."

    You would still want a new IPsec Connection definition to replace the current one.  Use "External (Address)" again in 'Local Networks' and select 'Bind tunnel to local interface' before saving.  Read the help about that last step before you go to the link I provided above.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob!

     

    Sorry for replying so late.

    There isnt an option to select 'Bind tunnel to local interface.' 
    I'm still trying to digest the article, it doesnt translate to English, unfortunately.

  • Sina, in order to see the interface bind option, you must create a new IPsec Connection definition.  Rather than trying to translate the article, just follow the pictures - at least that part is in English.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA