This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing single local host internet traffic through remote IPSec tunnel gateway

Hi to all,

I have one UTM 9 at HQ site and one UTM 9 at branch site with IPSec Active tunnel between them.

I would like, only for some specific hosts in HQ site,  to  present themselves on Internet using Branch site WAN IP address instead of HQ wan IP.

It is possible with some SNAT / routing rule? What would be the best way to address it?

 

thank you all



This thread was automatically locked due to age.
Parents
  • Hoi Marcello and welcome to the UTM Community!

    Ideally, this would be done with two separate tunnels - one for the subnet where the specific hosts are and one for all of the other devices.  If you have a LAN that's 172.17.2.0/24, you could change every device's subnet mask to /23 and assign the specific hosts fixed IPs in 172.17.3.0/24. Then, you just add a second tunnel for '{172.17.3.0/24} <--> {remote subnets & Internet IPv4}'.

    Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'.

    Please let us know which method you chose and what drove that decision.

    Cheers- Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hoi Marcello and welcome to the UTM Community!

    Ideally, this would be done with two separate tunnels - one for the subnet where the specific hosts are and one for all of the other devices.  If you have a LAN that's 172.17.2.0/24, you could change every device's subnet mask to /23 and assign the specific hosts fixed IPs in 172.17.3.0/24. Then, you just add a second tunnel for '{172.17.3.0/24} <--> {remote subnets & Internet IPv4}'.

    Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'.

    Please let us know which method you chose and what drove that decision.

    Cheers- Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Balfson,

    thank for your reply. I would like to try the second way because unfortunately change subnet is not an option.

    I miss some details on your suggestion. If I create another subnet into Site1 how I can bind it to the local gateway in same site? Do I need to add another interface?

    I'm sorry I can't picture the scenario...

    I also forgot to specify that remote gateway is "respond only" gateway type, don't know if this could impact the scenario

     

    thanks!

  • "Instead of changing every device's subnet mask to /23. a little less intuitive would be to create a "phantom" subnet of 172.17.22.0/24, a tunnel for '{172.17.22.0/24} <--> {remote subnets & Internet IPv4}' and a 1-to-1 Source NAT like ''{group of specific hosts} -> Any -> {remote subnets & Internet IPv4} : from {a group of IPs in 172.17.22.0/24}'.  Note that the two groups must be the same size and you must select that the rule applies to IPsec packets in 'Advanced'."

    No additional interface required, just an additional site-to-site IPsec tunnel with {172.17.22.0/24} in 'Local Networks', "Internet IPv4" and the remote subnet(s) in 'Remote Networks' and the corresponding configuration at the remote site.  If you aren't using X509 certs (How to create an X509 key based Site-to-Site VPN), you will want to use a different PSK for the second tunnel and select probing of PSKs on the 'Advanced' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    thanks to your updates now second tunnel is in place, both IPsecs are connected and running, PSK probing activated.

    Now I have: HQ Subnet : 192.168.46.x/24, Remote Subnet 192.168.44.x/24 and a single test client (just temporary instead of Phantom Net) with ip 192.168.46.105

    Now (I'm hard-witted) the unclear part is the SNAT rule, the single test host still going to internet on HQ gateway....

    Any other advice?

    Thanks!

  • I can't "see" this, Marcello.  Please show pictures of the Edits of the IPsec Connection and the Remote Gateway for both IPsec tunnels.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, 

    Unfortunately at the moment I had to remove second tunnel since it caused some sort of issues to normal connectivity so to avoid user impact I had to restore initial configuration. 

    For sure I have misunderstood instructions but I think I have to leave original config to avoid other services disruption.

    At the moment I "worked around" by activating proxy server on remote gateway and setting up specific hosts to use it to access internet.

    BTW I really like to understand how to implement it in the right way, as soon as possible I will post screenshot of tunnel in place.

    Thanks again for your help