Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos v19 Site To Site VPN Multiple Wan Routing Problem

Hello everyone,

After migrating to version 19, we wanted to remove the migrated rules and rewrite the all configuration. However, we ran into some problems with the reconfiguration.

We have 2 WAN internet interface and do not do load balancing or redundancy on WAN outputs.

There are more than 30 VLANs networks inside (LAN interfaces)

The servers in these vlans need to exit to the internet from different WAN interfaces.

At the same time, there are also access to these servers from site to site on IPSEC vpn. (not tunnel interface)

We have 6 site-to-site IPSEC connections. (not tunnel interface).

I have the same problem in all of them. I will try to explain the problem by exemplifying one of them.

You can find the rules I wrote for vpn and internet output below.

My Site (A) WAN1: 1.1.1.1 (Sophos port 6)           My Site (A) WAN2: 2.2.2.2  (Sophos Port 3)      Remote Site (B) WAN: 3.3.3.3

Site To Site IPSEC   My Site(A) 1.1.1.1  TO  ----> Remote(B) 3.3.3.3 

192.168.2.0/24   My Site (A) Local Subnet                    

192.168.218.0/24  Remote Site(B) Local Subnet

My Site(Firewall Rules) 

LAN (192.168.2.0/24)  TO  VPN (192.168.218.0/24 ) ANY. 1st Rule

VPN (192.168.218.0/24)  TO  LAN (192.168.2.0/24 ) ANY.   2nd Rule

LAN (192.168.2.0/24) TO WAN (internet)  LAN to WAN access rule for network 3rd rule (no web filter - no app filter only LAN TO WAN IPS filter) 

My site (NAT Rule) For 192.168.2.0/24

Orginal source (192.168.2.0/24) 
Orginal destination (ANY)
Orginal services (ANY)
Translated source -SNAT (1.1.1.1)
Translated destination (orginal)
Translated service (orginal)
Inbound interface (VLAN-2)
Outbound interface (ANY)

There is no SD-WAN routing rule.

- With the above configuration, the 192.168.2.0/24 network can exit to the internet from the 1.1.1.1 ip address. However, while it should go out via port 6, it goes to the internet via port 3 with this ip address.

- 192.168.2.0/24 network site-to-site cannot reach 192.168.218.0/24 in IPSEC network, but 192.168.218.0/24 network can reach 192.168.2.0/24 on our side

IPSEC connections need to go without NAT, The NAT rule applies to every packet leaving the 192.168.0.2/24 network and I guess that's why 192.168.2.0/24 can't go to 192.168.218.0724.(RED TEXT)

I want the 192.168.2.0/24 and 192.168.218.0/24 network to talk to each other from IPSEC and the 192.168.2.0/24 network to exit the 1.1.1.1 WAN interface to the internet.

It doesn't work when I write SD WAN routing either because it sends all packets from 192.168.2.0/24 to 1.1.1.1 WAN 1. There is no IPSEC communication.



This thread was automatically locked due to age.
Parents Reply Children