Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 53445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static Route to IP-Sec Tunnel

soni

Hello Sophos community,

I have a question regarding static routing and IP-Sec tunnel.

In the IP-Sec configuration "Any" (0.0.0.0/0) is specified as external subnet, so it is possible to use it for all subnets. The remote site does not support policy based VPN and uses route based. The option "bind to local interface" is activated on UTM side so no default route is set.

The problem is now, that I am not sure, how to route different subnets to the IP-Sec tunnel. When I create a static route for subnet x and interface eth0 (also IP-Sec interface) it is not working. I checked the route and "src" option is missing in comparsion to the routes set by UTM itself, so it is not working. If I add the route manually in the console it is working.

Is there a way to add a route to IP-Sec tunnel in the interface?

Thanks



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    Hello Bob,

    here is a feedback: I created the routes but it seems, that it is not necessary. Even if there is no static route for example for the 10.x network on the remote side it is working. It is not possible to create the gateway route for the public IPs. The message is shown, that a default route can only be specified in the interface settings. This is what I meant in my post before. The default route is the WAN gateway.

    But I am not sure, why it is working. When every traffic is routed by default to WAN interface, why is the traffic routed to IP-Sec? And what does it mean, when I add Any in remote network? Does it mean, that every public traffic is also routed to IP-Sec then? It is not clear for me because it worked from any LAN networks without static routes even if IP-Sec is bind to local interface (WAN).

    Thanks

  • 0 in reply to soni

    You must use Interface Routes to get traffic through the tunnel - Gateway Routes won't work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    ok, I thought it was only related to the internal subnets or public ips routed to the tunnel. The problem is related to the following step:

    > Create a Gateway Route for "Internet IPv4" pointing to the default gateway of WAN with metric 10.

     

    This is not possible as stated, it does not matter if gateway or interface route.

    All other steps worked but then also the complete internet traffic is routed to the IP-Sec because of the prioritized VPN policy route.

     

    Any idea?

  • 0 in reply to soni

    Then I don't think this is possible.  Thanks for trying it and letting us know.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    Thanks. I can try to set in the console for testing but think VPN routecomes before static route, correct?

  • 0 in reply to soni

    Someone that knows iptables probably could solve this aber der bin ich nicht.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML