force outgoing through the xfrm interface

RE: force outgoing through the xfrm interface

Gib GoDesk — Tue, 19 Nov 2024 11:44:49 GMT

Hello, everyone.

Lucar and Sreenivasulu. Thank you for your support. Since it was a temporary migration solution, we rushed to migrate. However, after that, I calmly reviewed the articles written by Lucar again and I remembered some things and was able to apply them the way I wanted.

I appreciate your help.

RE: force outgoing through the xfrm interface

Sreenivasulu Naidu — Thu, 14 Nov 2024 10:14:10 GMT

Hi @Gib GoDesk,

Pls try below configs (with reference to this setup): client1---LAN---SFOS1<Initiator>-----wan---<Responder>SFOS2---LAN----client2

* Firewall rule on SFOS1: Source zone:LAN, source networks: Any, Destination zone: VPN, Destination networks: LAN port of SFOS1 (PortA)

* Firewall rule on SFOS2: allow VPN to LAN zone

* NAT rule on SFOS1:

Original source: LAN n/w of SFOS1; Original destination: LAN port of SFOS1 (PortA)

Translated source(SNAT): MASQ, Translated destination(DNAT): ip address 192.168.102.1

Inbound interface: Any, Outbound interface: Any

Original service or Translated service: as per your need

* Use static route on SFOS1 to reach far end LAN via xfrm1; similarly on SFOS2

RE: force outgoing through the xfrm interface

Gib GoDesk — Wed, 13 Nov 2024 12:40:57 GMT

Thank you for your time.

My criteria is set to: Static route, SD-WAN route, VPN route.
I do not have any static routes configured.

The SD-WAN rule to be used is the first one:

Lines 2 and 3 are other VPNs to other Networks and talk to other Sophos. And finally, only public Internet addresses go out to the Internet.
Rule Details:

NAT RULES:

RE: force outgoing through the xfrm interface

Srisakthi S — Wed, 13 Nov 2024 06:09:09 GMT

Any other selection criteria in your SD-WAN route configuration which is making traffic to 192.168.101.1 to bypass (a snapshot would help) ? Also what is the route precedence configured in your SFW?

RE: force outgoing through the xfrm interface

Gib GoDesk — Tue, 12 Nov 2024 19:06:40 GMT

Thank you for your time, LuCar Toni.

Yes, I'm considering updating it soon. I just got caught in the eye of the storm in the environment in question.

I also appreciate your document. I've already used it and several other recommended reading articles that you created. You do a great job for the community.

I only use SD-WAN and I reach the destination normally through it.

The source configuration is set to any. The destination is at redfe 192.168.102.0/24. I only have one GW, which is the one linked to xfrm.

I can't mentally draw this packet flow when it is addressed to the IP directly from Sophos on the LAN interface, but if it doesn't go to the SFW, when it passes through any IP on my LAN, DNAT and MASQ work.

This is how it works:

src: any -> dst: 192.168.101.10 (SERVER ON LAN) PORT: 8080
translates to:
src: 172.16.0.1 (XFRM IP\as object) -> dst: 192.168.102.10 (SERVER IP ON VPN) PORT: 8080

This way when I look at the capture I see the correct communication, it enters and leaves through xfrm.

When I do it for the IP that is in the SFW, it doesn't work:

src: any -> dst: 192.168.101.1 (SophosFW IP - PortA \ LAN) PORT: 8080
translates to:

src: 172.16.0.1 (XFRM IP\as object) -> dst: 192.168.102.10 (SERVER IP IN THE VPN) PORT: 8080

This way it doesn't work and when I look at the capture it is going out through the PortB internet interface or instead of going out through the xfrm interface.

I know that this is traffic generated by the system itself and so I may need to use the settings to force SNAT. However, I understand that I don't need to. My SDWAN rule is very comprehensive and I am using an IP directly used in the IPsec VPN connection interface.

RE: force outgoing through the xfrm interface

LuCar Toni — Tue, 12 Nov 2024 17:35:29 GMT

You should consider to update your firewall.

And please read this: Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR

The main takeaway: SFOS NAT will not change the routing decision. You still need routing + NAT to get your setup running.