Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only allow specific networks to communicate within IPSec site-to-site Tunnel

Interne IT3

Dear all,

I have a question with regards to an IPSec site-to-site Tunnel configuration.

I have multiple local and remote networks, that need to communicate with each other but not ALL networks.

For example:

Local Networks: 1a, 2a, 3a

Remote Networks: 1b, 2b, 3b

But only 1a needs to communicate with 1b, 2a to 2b etc.

How can I configure this? Because if I add all three networks on both sides I see that several SA´s are build up, also 1a to 2b, 1a to 3b etc. that I don't need at all.

I hope my problem is clear and someone can help me.

Thanks in advance!

Best regards

Daniel



This thread was automatically locked due to age.
  • 0

    That might be accomplished by setting up your static routing.  I haven't messed with that much, but setting static routes will probably be a good place to start there.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Thanks for the answer, I know what you mean.

    And I already have IPSec VPN´s configured with a tunnel interface and static routes showing to that.

    But that is unfortunately not possible here, because this is a customer VPN where the other side doesn't support IPSec with Tunnel Interfaces.

    I asked how to do this within a Site-to-site IPSec VPN, because this is how the Tunnel is set up at the moment (with specific SA´s).

  • 0 in reply to Interne IT3

    Clear the checkbox "automatic firewall rule" within IPSec config and create Firewallrules matching your needs.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Interne IT3

    Hallo and welcome to the UTM Community.

    The guys have given you good answers, you will also be interested in #2 in Rulz (last updated 2021-02-16).

    Cheers -  Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML