Hi to all,
I have one UTM 9 at HQ site and one UTM 9 at branch site with IPSec Active tunnel between them.
I would like, only for some specific hosts in HQ site, to present themselves on Internet using Branch site WAN IP address instead of HQ wan IP.
It is possible with some SNAT / routing rule? What would be the best way to address it?
thank you all
possible a policy-(default) route would work.
i would try: policy routes / from:special hosts / to:any(or better needed destinations) / services: any (or known needed) -> Gateway: IPS-Router
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
Hi dirkkotte, thank for your reply. I read in some other posts that you can't forward packets in VPN tunnels via Policy routing...
anyway I tried your suggestion because it was a worth and easy try but unfortunately it's seems that it doesn't works...
Hmm, I'm curious as to your exact configuration. As I am afraid that this question may come up in my configuration in the future, I wanted to know for sure why things did not work or how to get them work.
By the power of virtualization, I've created a test setup. This setup is very simple, but I think it represents your question.
I've installed two UTM's with two interfaces, one WAN and one internal.
Both UTM's have the same default gateway in this setup (I've only got one internet connection here at home), but I don't think this influences the result.
My simple setup for UTM-1:
I created a firewall rule any <->any
I masqueraded the internal network to WAN:
Now I've got a Windows server on the internal network, ip address 192.168.5.10, gateway 192.168.5.1, dns 188.8.131.52. I've got another server, ip address 192.168.5.20 gateway 192.168.5.1, dns 184.108.40.206.
this works, eg tracert to this forum:
So this is your HQ server so to speak.
Now I've got a second UTM, UTM-2 with this simple setup:
In this network, Ive also got a server ip address 192.168.6.10, gateway 192.168.6.1, dns 220.127.116.11
this also works, eg tracert to this forum:
I've created a simple IPSEC connection between the two UTM's:First gateway definition on UTM-1:
and gateway definition on UTM-2:
In this example both gateways are initiate connection, but this is not mandatory.
Then I create the connection on UTM-1:
and on UTM-2:
Enable the connection and I've got a VPN between the two UTM systems:
I can test this by pinging the Windows host on the other end.
Without VPN from Host 1 (HQ):
with VPN from host 1 (HQ):
So now back to your question, how to route traffic from Host 1 (HQ) through UTM-2 to the outside world.
As shown before, traceroute from this host goes through UTM-1.
I've created a gateway policy route bound to the Intern interface of UTM-1, with the HQ host as Source Network for any service going to IPv4 internet to be sent to the Intern interface of UTM-2 :
If I enable this rule and I do a traceroute from Host 1 (HQ), I now get a different path:
As you can see the traffic is now routed through UTM-2.
The same traceroute from the other host in the HQ network that is not part of the gateway policy route shows the 'normal' path:
As my own 'home' UTM is the gateway to the internet, I checked the results in my firewall log by going to a simple website with one ip address to see if the source address did change. Strangely enough it did not, although a TCP dump from the console on UTM-2 did show that the traffic was going out of UTM-2 and not UTM-1.
In the end I did something counter-intuitive and created the following SNAT rule on UTM-2 (your branch office so to speak):
This seems to work:
Remember, in both cases, the HQ machine (192.168.5.10) was the one creating the web request.
So the external address from UTM-1 was SNATted to the external address of UTM-2. This one I cannot really explain, but probably this is due to the fact that both UTM's have an external address in the same subnet. To be sure I would have to test with two separate external addresses. I haven't got access to such a config yet, but will try to get it. As soon as I do, I will post the final result.
So according to this simulation it should be possible to route one specific host (or network group of hosts) through a VPN tunnel to an external address.
I don't know if this answer will still be helpful for you, as Bob has provided a solution that has proven to work in your situation. But it has been fun figuring this out and hopefully someone can use this info :)
thank you so much for your real commitment to the post :-)
More or less our environment is likely your virtual test environment, except we have hardware appliances and two different internet connections.
here is our tunnel
and I can ping both gateway from each site as well.
I have a test host WS10 that can browse internet:
So I create Policy route:
When active internet become unreachable:
Even with SNAT rule on remote site:
Tried with automatic firewall rules and by check "Rule applies to IPSec Packets" box
same result ... Internet Unreachable
Seeing this I have to agree with Bob that for some reason policy routes do not apply to IPsec tunnel...
Some questions just to be sure (since we now have both a working policy route through IPSEC and a non-working policy route through IPSEC):
Is the RemoteIPSEC gateway the LAN/Internal adapter on your branch UTM? It's the only difference I can think of for now between your environment and the VM test environment
Can the WS10 host ping IP adresses in de branch LAN if the policy route is not active? In my test environment I accepted the Remote LAN for each connection and offered the local LAN.
yes to both questions, UTM are gateways of the sites and I can ping host in the other site from any of the hosts, when the route policy is active the host become unresponsive..
Keep in mind the security associations here, you are not doing host -> ANY in the ipsec tunnel but specific networks / hosts to eachother.
IPSEC would drop all traffic that doesn't match the security association.
You can get around this for inbound traffic by doing a Full NAT on the remote gateway that changes the source to go through the tunnel and hit the site on the other side.
For traffic from ANY host
Using service: whatever service
Going to: External of UTMgateway2
Change destination to: Webserver IP across the tunnel
Change source to: Interface IP of this side of the tunnel
Check rule applies to IPSEC packets.
You guys might both be interested in considering Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE). All of the screens are in English, Marcello, so even if you don't read German, you should find the article accessible.
Cheers - Bob
Just a quick update on how I work arounded finally the question. I created a RED tunnel and bridged a new interface in HQ UTM to it. Then I connected a little router WIFI to the bridged interface. When people from branch office come to HQ with their laptops, they connect to the bridged WiFi so they can continue to access internet presenting Branch Office WAN IP, mantaining their accesses on cloud resources.
A big thank to all, every ideas and suggestions came from this community
Just a follow up on this as I am setting up a similar setup right now - Do i need to actually have two separate tunnels/gateways/connections created? I'm not understanding how this segregates the traffic whether they are listed as separate networks within the tunnel or separate VPN connections/tunnels?
Not sure what you mean by "a similar setup," Aaron.
Similar setup in the sense that I have a branch office and a HQ and trying to route all the internet bound traffic for a subnet to another site for an exit point.
I tried with the policy based route which breaks the connection and doesn’t work / nothing pings or routes.
If I try adding 0.0.0.0 to the IPSec tunnel - the tunnel doesn’t establish.
My question I poorly worded last night was - do I need two entirely independent tunnel connections or just the subnets to be listed separately in the local/remote networks on either side respectively ?
Show us pictures of the Edits of the IPsec Connection and Remote Gateway for both sides and tell us if/where Web Filtering is being done - the exit point site or not or both.
Well, now I can get the tunnel to establish (I believe it was a double-NAT issue on the "Branch" side). My goal here is get only one specific subnet to route its internet traffic via a second ipsec tunnel.
Unfortunately, when I get the tunnel to establish, all the branch side sophos traffic (as in, traffic generated on the Sophos itself) seems to try and go through the tunnel or just quits working altogether. Traceroute no longer works, cannot ping externally, etc. A review of the routes under Support>Advanced shows that the Sophos is trying to default all traffic via the new tunnel.
This isn't the intended routing so first and foremost I need to find a solution to this.
The branch Sophos has 1 NAT rule that routes internet bound traffic from a source of "any" out on a WAN public IP of the branch Sophos.
There is a second tunnel (which is the primary production tunnel at the moment) that is set up the same except it has the production subnets routed between the two sites.
In BO_GUEST_FIREWALL, do you have a Masquerading rule like 'BO_Guest -> External'?
Heres the NAT rules. I don't have any masq rules active. I have a masq rule that I've activated when the secondary tunnel (the tunnel listed above) is up from GUEST_NETWORK>INTERNAL ... which I guess in hindsight isn't correct, but I'm not sure why it wouldn't be covered in the below NAT rule...