Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 5093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to route all traffic from a specific network (vlan) via a site-to-host VPN server

Peter Mueller

 Hi,

 

I am running an IPSec VPN on an AWS instance.What I'd like to achieve is, to connect Sophos XG to this host and route all traffic from one specific internal network via this host to the internet.

I read the kba for establishing an IPSec connection as well as how to set up the firewall rules. However in this case, I use the opposite scenario. Usually the use case would be to have a branch office which connects to the head office and mainly uses the XG as the exit node for internet traffic. My scenario is the other way round.

I'd like to have the XG set up a IPSec connection to the AWS IPSec Server and uses this IPSec server as the gateway to the internet for network 192.168.66.0/24

 

connection should look like this: 

client on network 192.168.66.0/24 (VLAN66) -> Sophos XG -> IPSec Tunnel -> AWS Instance IPSec Server -> Internet

 

XG already initiated the connection to the IPSec server and stays connected.

local network 192.168.66.0/24 is being set in IPSec settings

From the AWS VPN Server I can actually use the Sophos XG as Internet Gateway but, as said, that's the opposite of what I am trying to achieve.

I took the Firewall rules from the kba and inverted them in order make that set up work.

But unfortunately this didn't work.

 

On the AWS server side connections seems to be fine. 192.168.178.102 is the WAN interface of the XG sitting behind my router. First red line is the external IP address of the AWS Server and the second one is the external IP my own network.



So, question is, is such a setup actually possible? And if so, what are correct firewall rules to have clients in VLAN66 access the internet via the AWS VPN Server?

 

Best

Peter

 



This thread was automatically locked due to age.
  • 0

    Hi  

     

    This is not supported and do not recommend doing this. 

    We do not recommend trying this as there are multiple points of failure including licensing for the XG not being checked due to rules in AWS firewall/routing issues.

    There is also a lot of configuration that would need to happen on both sides of the tunnel, including testing to go through on the support forum.  If this is the route you would like to take, then I would recommend contacting our Professional Services team at the following link https://www.sophos.com/en-us/support/professional-services.aspx.

    Thanks.

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to KingChris

    I already thought that it is not offically supported by Sophos. 

    But to make that clear, I am not talking about routing all traffic through the tunnel but only one dedicated network of many network. So XG is (should be) still locally connected to the internet. That's being said there shouldn't be an issue with the license check.

     

    What I am missing in XG is a VPN client option. This would cover my use case. There is a SSL VPN client option but this seems to only support Sophos firewalls as endpoints.

     

    So, when thinking about other possibilites to achieve that goal, here's what I believe could work:

     

    1. connect each client in this dedicated network individually to the AWS VPN Server and create a firewall rule which blocks all traffic besides VPN traffic.

    Opinion: Depending on the amount of clients in this network in the future this could be a lot of work.

     

    2. Put another firewall which supports VPN client functionality (like pfsense) behind the XG in this dedicated network.

    Opinion: lot's of additional configuration for basically a simple task.

     

    3. Create a Sophos XG or UTM instance on Azure and connect my XG via site-to-site VPN.

    Opinion: would this actually be a way to go without the need to use the Azure Firewall as "headquarter"?

     

    4. Put any router with VPN client option behind the XG and connect all devices directly to this router. 

    Opinion: again, another device needed to achieve a simple task.

     

    Do all these options possible? Are there any other options? 

     

    Best

    Peter

  • +1 in reply to Peter Mueller

    Hi  

    There is an option in Sophos IPsec section to use a "host-to-host" connection type.

    You would just need to click on the drop down box and change the "connection type" to "host-to-host".

    I would definitely recommend to use option 3.  You could use the Sophos XG in Azure.  Its already part of the Azure Marketplace.  You can then use RED site-to-site tunnel and use static based routing to push IPs you want to the other side.

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to KingChris

    I haven't tried "host to host" yet but I set up a Sophos XG instance in Azure and used a RED15w, I had lying around to connect to it. So far I can tell that the performance of that encrypted link is very good.

    I almost get line speed with 150mbit down and 39mbit up. So RED definitely outperforms many common VPN protocols in terms of performance. BTW. the maximum throughput of RED15w is supposed to be 90mbit based on advertising.

     

    Unfortunately Azure pricing is extremely intransparent and Sophos XG is only available in a couple of regions. I'll see what the bill looks like after a couple weeks to estimated real cost.

     

    Best

    Peter

Unfiltered HTML