Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route internet traffic across IPSEC

Stuart James

I have the following setup with an IPSEC tunnel between the two Sophos XG firewalls.

Internet traffic from 192.168.1.1 goes out through Internet 1

I want to say that for traffic with a destination of 8.8.8.8, go across the IPSEC tunnel and out through Internet 2 - all other traffic remains on Internet 1

I've tried:

system ipsec_route add host 8.8.8.8 tunnelname <tunnel>

set advanced-firewall sys-traffic-nat add destination 8.8.8.8 snatip 192.168.1.1

Packet capture shows traffic is being sent to the IPSEC tunnel correctly on Sophos (192.168.1.254) but the traffic never arrives at the other end.

What am I missing?



This thread was automatically locked due to age.
  • 0 in reply to Stuart James

    Can you show us the screenshots of both packet captures? 

    __________________________________________________________________________________________________________________

  • 0 in reply to Stuart James

    Hello Stuart,

    Greetings,

    I understand your requirement but with policy based VPN, unless you don't specify the 8.8.8.8 in the remote subnet at BO and 8.8.8.8 as local subnet in HO, it would not work. Add the local and remote network 8.8.8.8 at respective IPSec tunnels and review it.

    However, it is yet not suggested to perform this with the policy based VPN and plan it with the route based VPN for the better optimal result.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to LuCar Toni

    Ok. I simplified the IPs in my diagram. Source server is 172.29.246.1

    set advanced-firewall sys-traffic-nat add destination 7.7.7.7 snatip 172.29.246.1

    system ipsec_route add host 7.7.7.7 tunnelname remotebranch

    172.29.246.0/24 is on the local side of IPSEC tunnel and remote side of IPSEC tunnel. All traffic is flowing fine between the subnets for normal communication, so IPSEC tunnel is working fine and able to see subnet.

    Source side packet capture:

    Destination side packet capture

  • 0 in reply to Mayur Makvana

    If I was planning to do this 7 years ago when we setup this company with it's 83 servers and 13 subnets, I would have probably gone with route based VPN, but it is too late now, so I need to find a way to do it with policy based VPN.

Unfiltered HTML