Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 38 subscribers
  • Views 41395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to create Static routes for IPSEC VPN's?

JohnKenny

I have had to set-up IPSEC Site to Site VPN's as RED UTM connections are not supported in XG, but how do I set up static routes for these if I dont have an Interface for each remote network?

I've tried adding IPV4 Unicast route using the Remote network IP, subnet and gateway as the ip of the router on the remote network and then left the interface drop down.  But it doesn't seem to work.

With IPSEC Site to Site VPN should the routes be created automatically?  its just i seem to be having issues with traffic for one subnet going over the wrong VPN and trying to use the remote networks site to site VPN.

I really wish they had RED UTM support out of the box.

Im having a nightmare with these site to site VPN's.

Also not having the astaro.org forum available makes matters worse.  I really wanted to use Sophos XG but i can see my self having to revert back to Sophos UTM.

Can someone please help?

Thanks

JK



This thread was automatically locked due to age.
Parents
  • 0
    Hello John,

    Thank you for being descriptive on the problem, the RED VPN is currently not support on XG which forces you to use the Ipsec site to site VPN.

    Can you tell me what the Peer appliance on the site to site ?

    With IPsec site to site which is way too different from Red VPN tunneling. Ipsec Security association is formed after both the peers agreeing on their local and remote networks and once the SA is formed it will auto create the routes on the route table and you dont have to create static routes as the Peer device will not accept the traffic because the SA did not negotiate the new network.

    If you need to add a new network create an object for the new network and add the network under the destination networks of your local firewall Ipsec tunnel and also create an object for the same network on the peer and add it under the source network of the Ipsec tunnel.

    One other way of implementing this and it would be much easier than RED and IPsec site to site implementation is by bringing in the support for Virtual tunnel interface (vti) also called route based VPNs which are available in V2 of XG firewall OS.

    You can just created a tunnel interface between both the sites you can define static or you can also implement Dynamic routing and also Dynamic Multicast routing which is not possible with Reds.

    this issue needs a troubleshooting session to understand which route the traffic is heading you can make the best use of tcpdump from option 4 of the command line.

    IPsec site to site has been reliable way of connecting remote sites before the reds I will agree on the ease of use point of view it is difficult to accept this change :)

    Thanks,
    Kranthi
  • 0 in reply to Kranthi
    Im stumped, I can see my traffic reaching the remote subnet by watching the firewall live log on the remote UTM and its green but also white but thats just the NAT rule logging.

    So why is it still failing to establish a connection to hosts on the remote network?

    Anyone?

    Thanks

    JK

    JK

    CompKickers

Reply
  • 0 in reply to Kranthi
    Im stumped, I can see my traffic reaching the remote subnet by watching the firewall live log on the remote UTM and its green but also white but thats just the NAT rule logging.

    So why is it still failing to establish a connection to hosts on the remote network?

    Anyone?

    Thanks

    JK

    JK

    CompKickers

Children
No Data
Unfiltered HTML