This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN binding

I have a pair of UTM 9 formed a S2SVPN, i saw the predecessor formed a vpn with declaring local network and remote network,

and  Site-to-Site VPN tunnel status shows local network X remote network = total established connections.......

this seems be so burdensome....

if i have 10 network in local, and 10 network in remote, there must be 100 connection between that

Can i just make a tunnel and let all the traffic through ?? with a static route???



This thread was automatically locked due to age.
  • This is the way that site2site IPSEC VPNs work with multiple security associations (SAs) between each and every subnet.

    If you want to limit those, you need to summarize the subnets you use inside the tunnel (if that's possible and doesn't create routing issues).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • For this M:N tunnels (I have some with over 500 SAs) I use a RED tunnel with simple static routes instead IPSec. As you have a pair of UTM9, give it a try

  • thanks for your help

    i still doubt, if i already have connection to a far away network with dedicated ISP line, MPLS.........and both site have Sophos with internet

    because we are going to cut MPLS and instead of using S2SVPN,

    and i connect S2SVPN and still keep MPLS at the same time,

    how the route be? packet through S2SVPN or MPLS? routing table?

  • thanks q, i checked RED, bbut it seems not suit for me, i have multi sites want multi path, not converge to main site

  • I'm not sure what you mean; are you going to phase out the MPLS connection and switch completely to Sophos with S2S or do you want to use both? While that is not really your question, it really also doesn't matter if you keep both or just one in relation to the number of SA's.

    If your IP-numbering allows supernetting "other" subnets into the tunnel then you can use that instead of every single subnet by itself.

    Suppose the following subnets are reachable over the S2S connection:

    Site A: 172.16.0.0/24
    Site B: 172.16.1.0/24
    Site C: 172.16.2.0/24
    Site D: 172.16.3.0/24

    They can all be addressed like 172.16.0.0/22

    Of course you need to take care not to create any routing issues but you might save a good number of SA's by supernetting the individual subnets that are reachable over the same S2S connection.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • are you going to phase out the MPLS connection and switch completely to Sophos with S2S or do you want to use both?

    yes, i am going to phase out MPLS, but before that, they will run both for awhile,

    but, if both (MPLS and S2S) are connected, how to know the route?

    lets said

    ----------------------------------Sophos A--------------internet -----------------------

    |                                                                                                                |

    MPLS                                                                                                         S2SVPN

    |                                                                                                                |

    ----------------------------------Sophos B--------------internet -----------------------

                                                   |

                                          172.16.0.0/16

     

    Sophos A can through MPLS to 172.16.0.0/16 now, 

    and i will form a S2S VPN.....then how to determine the route?

  • I believe if you create a S2S connection that it will have a lower metric (and thus higher priority). You can also work with static routes but then you should bind the tunnel to the local interface if i'm not mistaken.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • thank q your help

    i am beginner of Sophos, i still be confused about the S2SVPN,

    i established the S2SVPN between 2 site, and keep the Metro as well, 

    but all traffic still go through Metro,

    so how can i route 1 of the subnet though S2SVPN but keep others in Metro??? static route?? but interface route? gateway route?

    and what function of the strict routeing and bind tunnel to local interface??