This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT For Radius via IPsec

Hello All!

 

Does anyone know why a SNAT rule needs to be configured for Radius when sending the traffic over a IPsec connection? To my understanding IPsec should simply encapsulate the packet and send it out the of the WAN interface with a destination address of the remote site and source address of the originating site. Additionally the route tables of the UTM appliances will then contain proto ipsec routes so that the systems understand that they'll need to send the traffic over IPsec. If I have to set a SNAT rule, then in my humble opinion something seems broken with the way that the appliance is working with radius. I would love to hear from others regarding this.

 

Best Regards,

 

Alex



This thread was automatically locked due to age.
  • Hi Alex,

    I am not sure but it might be related to your current setup which needs the SNAT rule. I would like to learn more on this case, could you PM me details of who suggested you this configurations and the case#. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • We would need to know the definition of the VPN tunnel and the IPs of the source and destination addresses.  Obfuscate like 172.21.X.0/24:215.X.Y.12<-->54.X.Y.73:10.X.Y.0/22.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob! 

     

    I appreciate that! I continued to work with the Sophos support engineers and it was agreed that this issue actually arose from the lack of proto IPsec routes in the routing table in the branch office. Per my understanding in the Linux/Unix world. These routes actually have to exist otherwise the UTM doesn't understand how to cope with the IP packets and when this occurs you have to use a SNAT rule and then apply the SNAT rule to the IPsec tunnel. 

     

    For those who are unaware. If you access the web admin UI and click support>click advanced>select the routes table table, you should be able see the entire route table in all of its glory.

    Below is a lab example ( As Bob suggested :) ) of what you'd expect to see. 

    10.0.33.0/24 dev eth1 proto ipsec scope link src 10.2.18.1

    In the lab example above the network 10.0.33.0/24 is a remote network in a branch office and prot ipsec scope link per my understanding tells the UTM, "Hey this is an IPsec route and you'll need to use the IPsec
    application to make the magic happen (IP sec encapsulation) before routing the packet to its destination (which becomes the gateway address of the remote UTM)."

    the src 10.2.18.1 portion per my understanding is used so that you have a proper source address to use in the packet header. This where the use of SNAT comes in because you'll be able to force via software where the source address is coming from instead
    of having the routing table do it.


    The support engineer and I agreed that it was really strange. Officially the cause couldn't be figured out. However this is clearly not a normal and expected behavior.

    the version of UTM that I had issue on is 9.507-1

    the model of UTM is an SG115 ver3 i think it is. it's oneof the newer lines that has the HDMI and USB console port on it.

    The UTM was not a ground zero build. I created a base configuration and had applied a license file to it. However when I made a backup configuration I striped the license information from it.


    I hope my experience/posting is helpful. thank you everyone and especially thank you Sophos support staff.

    -Alex




  • Do you need Radius inside your Sophos for remote authentication? Or do you want radius requests between the networks?

  • This may be the issue related to an IPsec problem that a client in Detroit and I had.  Please PM me the case # so that I may communicate it to the engineer on the GES team so that he can give it to the developer working on this now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • we use Radius between two sites to authenticate our corporate users that wish to access Corporate Wireless.