Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 1246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route traffic destined for a specific public network out over site to site VPN

Brian Straka

I have an IPSec site to site VPN set up. I need to route traffic destined for 208.whatever.external.IP out over a site to site tunnel to a provider network.  In Network > Routing there is no interface listed to send the traffic to and I have nothing to set as the next hop. Any ideas?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You can add an IPsec route in CLI for destination 208.whatever.external.IP

    Follow the steps below to add an IPsec route.

    ==> Login to SSH > 4. Device Console

    => For host:

    console> system ipsec_route add host 208.whatever.external.IP tunnelname IPsec_Tunnel

    => For network:

    console> system ipsec_route add net 208.whatever.external.IP/255.255.255.0 tunnelname IPsec_Tunnel

    Where IPsec_Tunnel is your site-to-site VPN tunnel name.

Reply
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You can add an IPsec route in CLI for destination 208.whatever.external.IP

    Follow the steps below to add an IPsec route.

    ==> Login to SSH > 4. Device Console

    => For host:

    console> system ipsec_route add host 208.whatever.external.IP tunnelname IPsec_Tunnel

    => For network:

    console> system ipsec_route add net 208.whatever.external.IP/255.255.255.0 tunnelname IPsec_Tunnel

    Where IPsec_Tunnel is your site-to-site VPN tunnel name.

Children
  • 0 in reply to FormerMember

    OK Got it in there and it is still trying to send the traffic out to the internet directly instead of over the tunnel....

    system ipsec_route add net 208.whatever.external.IP/255.255.255.224 tunnelname VPN_Tunnel

    console> system ipsec_route show
    tunnelname host/network netmask
    VPN_Tunnel 208.whatever.external.IP 255.255.255.224  

    I am tracerouting to 208.whatever.external.22 which is in that network. 

    Any ideas on what to try to see why this isn't working?

  • 0 in reply to Brian Straka

    Likely you also need to NAT this traffic? Or what does the peer expect you to do? You can also add a VPN NAT for this traffic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We are NATing the traffic.  I do see the traffic hitting the NAT rule but the traffic is exiting the WAN interface and not going over the tunnel.

  • FormerMember
    0 FormerMember in reply to Brian Straka

    Hi ,

    Ensure that route lookup(Diagnostics > Tools > Route lookup) on XG shows 208.whatever.external.IP adress on ipsec0

    Is there any SD-WAN policy configured?

    Could you please post a snapshot of the NAT rule and packet capture here or in PM?

Unfiltered HTML