How to create Static routes for IPSEC VPN's?

Hello John,

Thank you for being descriptive on the problem, the RED VPN is currently not support on XG which forces you to use the Ipsec site to site VPN.

Can you tell me what the Peer appliance on the site to site ?

With IPsec site to site which is way too different from Red VPN tunneling. Ipsec Security association is formed after both the peers agreeing on their local and remote networks and once the SA is formed it will auto create the routes on the route table and you dont have to create static routes as the Peer device will not accept the traffic because the SA did not negotiate the new network.

If you need to add a new network create an object for the new network and add the network under the destination networks of your local firewall Ipsec tunnel and also create an object for the same network on the peer and add it under the source network of the Ipsec tunnel.

One other way of implementing this and it would be much easier than RED and IPsec site to site implementation is by bringing in the support for Virtual tunnel interface (vti) also called route based VPNs which are available in V2 of XG firewall OS.

You can just created a tunnel interface between both the sites you can define static or you can also implement Dynamic routing and also Dynamic Multicast routing which is not possible with Reds.

this issue needs a troubleshooting session to understand which route the traffic is heading you can make the best use of tcpdump from option 4 of the command line.

IPsec site to site has been reliable way of connecting remote sites before the reds I will agree on the ease of use point of view it is difficult to accept this change :)

Thanks,
Kranthi

Ok im trying to connect to 4 VPN's, 2 UTM's & 2 Draytek 2925's. I actually have a VPN to 1 UTM & 1 2925 working correctly, but for some reason the 2nd UTM & 2nd 2925 VPN's connect but i cannot reach the remote networks?

Can you explain to me the other method you mentioned? The virtual tunnels? What is V2 of XG? I have the latest Sophos XG software appliance installed.

Thanks for your reply you dont know how long ive waited for some more help. Hope you can reply again ASAP.

JK

OK I cant find anything on those Virtual Tunnel Interfaces you mentioned, what is Sophos XG V2? Is it not out yet? I have all 4 IPSEC site to site VPN's connecting, I went through the policies at all the endpoints and created an exactly matching policy so I could get a connection. The problem I'm having is even though I have active VPN's I cant reach the remote networks of 2 out of 4 VPN's. I really am stuck!!! I was pretty competent using Sophos UTM but wanted to dive in and learn Sophos XG for my home. If i was having issues connecting to a single device type id probably be able to troubleshoot this but its not its 1 of each of the same devices that work?? I have posted other threads here about this but haven't gotten to the bottom of it still! I miss www.astaro.org. Ive gone over and over the configs of the endpoints and im confident I have replicated the working VPN's exactly apart from the IP addresses. I do not know how to create static routes on XG for ipsec tunnels as i dont have an interface to use for these. Also the Routes tool in diagnostics is confusing as all my IPSEC tunnels say they are using the same route and the IP in it isnt even right?

I could in theory drop 2 of my IPSEC tunnels as each of the pairs of endpoints have there own site to site connecting them, so if i could work out how to use static routes in XG i could route traffic destined for the remote subnet through the VPN that works and then through the endpoints VPN.  I cant see why that wont work either?

Also as I still have my old UTM on my LAN but on a different IP which still has working RED tunnels, I was trying to route traffic through that but again the unicast static routes i tried didn't work.

So please any ideas you can give me id really be grateful.

Thanks

JK

I also having issues with IPSEC. Do we have succesfully created the Ipsec tunnels and its working perfect for our clients. But the XG itself cant send traffic over the tunnel as it routes it wrong. Any tips? I also would love to have route based VPN instead? Is this coming? and when? what is V2 XG?

daniel did you create a policy for LAN to VPN Zone?  I had to create a policy for LAN ZONE with Local network to VPN ZONE with Remote networks to get traffic to the VPN's  Although for me I only can reach 2 out of 4 VPN's.

Thanks

JK

Im stumped, I can see my traffic reaching the remote subnet by watching the firewall live log on the remote UTM and its green but also white but thats just the NAT rule logging.

So why is it still failing to establish a connection to hosts on the remote network?

Anyone?

Thanks

JK