Set source IP for site to site IPSec VPN using 'Tunnel Interface' connection type linking multiple subnets

Question

We have multiple site to site VPNs setup with connection type 'Tunnel Interface'. The VPN links connect multiple remote subnets. How does XG pick a source IP because it seems to be random and can change when we re-establish a connection. This causes issues because we send Syslog traffic from the XG over the VPN and need the source IP to be consistent. 
 As an example: The remote site has subnets 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24. The XG has an IP address for each subnet of 192.168.1.1, 192.168.2.1, 192.168.3.1 The syslog data can have a source address of any of the three IPs and it can change when the VPN is re-established (e.g. after a reboot). 
 If we use a 'site-to-site' connection type, you specify the source IP as part of the setup. Is there a way to specify/fix the source address if you are using a 'Tunnel Interface' connection type? I don't really want to have to rebuild all our site to site VPNs.

vamshi d · Accepted Answer

Hi JasP , Thanks for the topology details. 
 Generally in SFOS IPsec , The source address is based on the 1st child SA ( local subnet) which gets established after the Tunnel is UP. So hence the behaviour XG picks one of the LAN IPs that is routable for the 1st child SA established. 
 Since you are using Routebased VPN with specific traffic selectors (local remote subnets) configured, it still needs a XFRM IP address for your usecase. Below are some additional steps required. 
 1) Configure the XFRM Interface IP address ( it is still required although not mandatory for normal RBVPN with traffic selector usecases) on both the Nodes in the same subnet (preferably else routing to be configured). 1) Add the Local XFRM Interface IP into the local Subnet for the respective XG nodes 
 2) Add the Remote XFRM Interface IP into the remote Subnet for the respective XG nodes. 
 3) In the Firewall rule, add the linked NAT rule with MASQ 
 4) Traffic will use XFRM IP as source address at the destination. 
 
 Regards, Vamshi

vamshi d · Answer

Hi JasP , The XFRM IP address is the one binded to the XFRM interface ( under Network->Interfaces) and so it will always be unique. https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNCreateRouteBasedVPN/index.html#introduction 
 If I understand your topology right, I believe 192.168.1.1, 192.168.2.1 or 192.168.3.1 are the connected LAN interface IPs. 
 Regards, 
 Vamshi

Sreenivasulu Naidu · Answer

Hi @Jasp, SFOS supports hosts or networks in 'local subnet' and 'remote subnet configs in the IPsec page for route based IPSec (connection type - Tunnel interface) that kind of mimic 'site-to-site' type of IPSec. The static routing that is configured on xfrm interface when local/remote subnets as 'Any/Any' will be auto configured while using specific local/remote subnets. Please check if this helps. 
 https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/HowToArticles/S2sVPNRouteBasedWithTrafficSelectorsCreate/index.html#create-a-route-based-vpn-tunnel-ho

Set source IP for site to site IPSec VPN using 'Tunnel Interface' connection type linking multiple subnets

Top Replies