Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 53534 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static Route to IP-Sec Tunnel

soni

Hello Sophos community,

I have a question regarding static routing and IP-Sec tunnel.

In the IP-Sec configuration "Any" (0.0.0.0/0) is specified as external subnet, so it is possible to use it for all subnets. The remote site does not support policy based VPN and uses route based. The option "bind to local interface" is activated on UTM side so no default route is set.

The problem is now, that I am not sure, how to route different subnets to the IP-Sec tunnel. When I create a static route for subnet x and interface eth0 (also IP-Sec interface) it is not working. I checked the route and "src" option is missing in comparsion to the routes set by UTM itself, so it is not working. If I add the route manually in the console it is working.

Is there a way to add a route to IP-Sec tunnel in the interface?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hallo soni and welcome to the UTM Community!

    Say you have something like:

    LAN<-->UTM<--VPN Tunnel-->Remote Endpoint Router<-->Subnet 1 (Subnet 2 is not defined in the tunnel)

    To add a route for Subnet 2, add it to 'Remote Networks' in the Remote Gateway definition and to the equivalent of 'Local Networks' in the Remote Endpoint Router.

    If you're not able to make a change in the Remote Router, you must bind the IPsec Connection to the Interface and then create an Interface Route for Subnet 2.

    Was that your question?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    Thanks very much.

     

    The problem is, that for a policy based VPN, for every subnet an own SA is created. So we need for every SA also one on the remote router. This is not a good option, it should be better, to use "Any" as remote network so proxy id is 0.0.0.0/0. In this case it is possible to use one tunnel for all subnets similar to a routed VPN.

    I alreday activated the option "bind to interface" but the problem is now, how to route subnets to the VPN tunnel. You say "create an interface route" but this seems not working. I created a static route with the subnet 10.2.1.0/24 to interface WAN.

     

    I compared the automatically created route, if the bind option is not set. It is something like this:

    10.2.1.0/24 dev eth1 proto ipsec scope link src 10.1.1.1

    In this case it is working. If I create an interface route in the UTM it looks like this:

    10.2.1.0/24 dev eth1 proto static scope link metric 5

    This is not working, "src" option is missing and the subnet is not reachable. But I cannot add such routes manually.

     

    Do you have any idea? Is the problem clear? Sorry for bad description.

  • 0 in reply to soni

    Please show a picture of the Edit of your Static Route with the subnet definition open.  Also a picture of the Edit of the IPsec Connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    attached the pictures of the VPN connection and the static route. 10.0.0.0/8 is only an example, it could be any other network. When I set the static route manually in the console with the source option, it is working.

     

  • 0 in reply to soni

    Let me describe this in my own words to see if I understand...

    From your LAN, you want to reach some subnets behind the other IPsec endpoint.  You only want to have a single SA.  The SA in your last example is

    {LAN}:{your public IP}<>{remote public IP}:10.0.0.0/8

    What IPs outside of 10.0.0.0/8 do you want to reach through the tunnel?  What IPs inside 10.0.0.0/8 should not be reached through the tunnel?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    correct, one example of a further network is 172.168.0.0 or some special routed public IPs. In the example all 10.x ips on the remote side cannot be reached.

    I tried it from the UTM console and also checked all routes with "ip route list". The route is set but as stated in my posting before it is not working until i add the "src" option to an interface ip of an internal network on my side. This is the default for all routes, so every route expect the static routes added in the interface have the src value.

    When i disable the option "bind to local interface" the UTM added the route automatically and used the first local interface ip for the src value. But this is not a solution because route is 0.0.0.0/0 in this case.

  • 0 in reply to soni

    When you bind to the interface, you must create all of the routes for traffic you want to pass through the tunnel.  E.g., an Interface Route for 10.0.0.0/24 bound to WAN.

    There's only one way I can imagine this working, and it's not something I've tried:

    1. Create a Remote Gateway with "Any" in 'remote Networks' (or maybe "Internet IPv4" instead - I would try both approaches).
    2. Create an IPsec Connection bound to the Interface using the new Remote Gateway.
    3. Create an Interface route for 10.0.0.0/8 on WAN with metric 5.
    4. Create Interface routes for {other IPs/subnets to be reached through the tunnel} on WAN with metric 5.
    5. Create a Gateway Route for "Internet IPv4" pointing to the default gateway of WAN with metric 10.
    6. The remote router will need a Masq rule for your LAN IPs.

    Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    thanks very much, I will check this in the next time and will let you know.

  • 0 in reply to BAlfson

    Hello Bob,

    one question, the WAN gateway is already deault for all IPv4 addresses (option in the interface settings). Should I disable these option?

  • 0 in reply to soni

    I would not change the Interface definition.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    here is a feedback: I created the routes but it seems, that it is not necessary. Even if there is no static route for example for the 10.x network on the remote side it is working. It is not possible to create the gateway route for the public IPs. The message is shown, that a default route can only be specified in the interface settings. This is what I meant in my post before. The default route is the WAN gateway.

    But I am not sure, why it is working. When every traffic is routed by default to WAN interface, why is the traffic routed to IP-Sec? And what does it mean, when I add Any in remote network? Does it mean, that every public traffic is also routed to IP-Sec then? It is not clear for me because it worked from any LAN networks without static routes even if IP-Sec is bind to local interface (WAN).

    Thanks

  • 0 in reply to soni

    You must use Interface Routes to get traffic through the tunnel - Gateway Routes won't work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to soni

    You must use Interface Routes to get traffic through the tunnel - Gateway Routes won't work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hello Bob,

    ok, I thought it was only related to the internal subnets or public ips routed to the tunnel. The problem is related to the following step:

    > Create a Gateway Route for "Internet IPv4" pointing to the default gateway of WAN with metric 10.

     

    This is not possible as stated, it does not matter if gateway or interface route.

    All other steps worked but then also the complete internet traffic is routed to the IP-Sec because of the prioritized VPN policy route.

     

    Any idea?

  • 0 in reply to soni

    Then I don't think this is possible.  Thanks for trying it and letting us know.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    Thanks. I can try to set in the console for testing but think VPN routecomes before static route, correct?

  • 0 in reply to soni

    Someone that knows iptables probably could solve this aber der bin ich nicht.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML