Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What does „system ipsec_route“ really?

Hi, maybe a dumb question but what does the command really do?

Maybe it is because of my special setup with the BO firewall tunneling all traffic to the HO firewall. But as far as I understood the - very well hidden - comparison whenever I want to do DHCP relay over IPsec I will have to add a system ipsec_route to the DHCP server using the IPsec tunnel.

https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/IPsec/S2sVPNIPsecRoutesNAT/index.html#use-cases

Today I played around with DHCP relaying over a (policy based) VPN. I do not see any need for the system ipsec_route at all. I have set up some rules in advanced firewall via console for system-generated traffic and as far as I can tell everything is working fine.

My BO firewall has no MASQ rule active and a „local networks to Any“ VPN connection.
For every DHCP scope I configured a advanced firewall rule for sys traffic to DHCP server in HO, mask 255.255.255.255 interface where i want DHCP relay to be in place, SNAT to the firewalls IP in the specific local network (e.g. 10.0.0.1 in 10.0.0.0/24). One rule for every vlan interface where I want DHCP to be in use.
Then a general route for the firewall pointing to 0.0.0.0 0.0.0.0 and SNAT to one of it‘s local IPs (for internet connectivity).

In DHCP relay I configured relaying to the DHCP IP and with „IPsec checkbox checked“.

Maybe someone can answer me the following question, why my setup from above should not work over a tunnel interface VPN.
I didn‘t test it until now but I see no point why it should not work.



This thread was automatically locked due to age.
Parents
  • Maybe it is easier to understand with a picture.

    Lets say I have a DHCP server with 192.10.10.10 in the HO. Then my advanced-firewall rules on the BO firewall would be like this:

    NAT policy for system originated traffic
    ---------------------

    Destination Network Destination Netmask Interface SNAT IP
    192.10.10.10 255.255.255.255 Port1 10.20.20.1
    0.0.0.0 0.0.0.0 10.20.20.1

    As I said, I have no entry in "system ipsec_route show". Why would I need it? That's the point I don't understand

    The VPN connections in my scenario are
    HO:   ANY <-> 192.20.20.0/24
    BO: 192.20.20.0/24 <-> Any

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Ok, meanwhile I discovered, that the rule is needed because otherwise it would cause trouble with DHCP leases.
    It works generally, but the time for a network client getting an IP address was drastically increased.

    After I added the ipsec_route to the DHCP server the DHCP leases are received instantly.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Reply
  • Ok, meanwhile I discovered, that the rule is needed because otherwise it would cause trouble with DHCP leases.
    It works generally, but the time for a network client getting an IP address was drastically increased.

    After I added the ipsec_route to the DHCP server the DHCP leases are received instantly.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Children
No Data