This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec route over gateway route

Hi all,

I want to know how does the Sophos UTM take priority on network routing.

Take the snapshot below as an example. This routing table is taken from the Sophos UTM at Support > advanced > Routing Table

default via <ISP gateway> dev eth1  table 200  proto kernel onlink 
local default dev lo  table 252  scope host 
default via <ISP gateway> dev eth1  table default  proto kernel  metric 20 onlink 
10.10.0.0/16 dev eth1  proto ipsec  scope link  src 10.20.0.2 
10.10.0.0/16 via 10.20.0.1 dev eth0  proto static  metric 5

The reason there are 2 routes for 10.10.0.0/16 is that I have a site to site VPN configured for subnet local to the UTMA 10.20.0.0/16 to remote subnet behind UTMB 10.10.0.0/16. This site to site VPN is a backup connection.

I configured the static route (gateway route type) is because I want the UTM to route traffic like email notification, Syslog via this static route to our email relay server and Syslog server while the main connection is UP, and if the main connection goes down, it can still send the traffic to via the site to site VPN. *Please note that the main connection is not connected via the UTM.

It seems like the route created by the site to site VPN is taking priority over than the static route.

Is there a way for the static route to override the IPSec route? Am I making a mistake on the configuration to achieve what I want to do?

Any help would be much appreciated.

Thanks,

This thread was automatically locked due to age.

Parents

0 Karlos over 7 years ago

Hi wutevatse

By default, the route priority is as follows: IPsec, Static and Policy Routes. As you can see from the route table, the static route shows a metric of 5 and the IPsec does not show a metric because it has default metric of 0. To place priority on static route, you must set a metric of 0 on the static route under the Advanced tab.

Also, to eliminate this problem of overlapping subnets, please refer to: Sophos UTM: How to tunnel between two UTMs which use the same LAN network range

Karlos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Karlos over 7 years ago

Hi wutevatse

By default, the route priority is as follows: IPsec, Static and Policy Routes. As you can see from the route table, the static route shows a metric of 5 and the IPsec does not show a metric because it has default metric of 0. To place priority on static route, you must set a metric of 0 on the static route under the Advanced tab.

Also, to eliminate this problem of overlapping subnets, please refer to: Sophos UTM: How to tunnel between two UTMs which use the same LAN network range

Karlos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 wutevatse over 7 years ago in reply to Karlos

Karlos,

Thanks for the reply.

I found out that the IPsec route has a metric value of 0 after reading the online help. So I changed the metric value of the static route to 0 as that's the lowest value I can set.

I check the routing table after the change, the static route was removed from the routing table. Only the IPSec route was left on the routing table. So with that change, IPsec route is still taking priority over.

Thanks,

MT
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to wutevatse

To be able to use Static Routing, you will need to bind the IPsec Connection to an Interface - see the help.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel