This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing single local host internet traffic through remote IPSec tunnel gateway

Hi to all,

I have one UTM 9 at HQ site and one UTM 9 at branch site with IPSec Active tunnel between them.

I would like, only for some specific hosts in HQ site,  to  present themselves on Internet using Branch site WAN IP address instead of HQ wan IP.

It is possible with some SNAT / routing rule? What would be the best way to address it?

 

thank you all



This thread was automatically locked due to age.
Parents
  • possible a policy-(default) route would work.

    i would try:  policy routes / from:special hosts / to:any(or better needed destinations) / services: any (or known needed) -> Gateway: IPS-Router


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi dirkkotte, thank for your reply. I read in some other posts that you can't forward packets in VPN tunnels via Policy routing...

    anyway I tried your suggestion because it was a worth and easy try but unfortunately it's seems that it doesn't works...

  • Hi Karl-Heinz,

    yes to both questions, UTM are gateways of the sites and I can ping host in the other site from any of the hosts, when the route policy is active the host become unresponsive..

    Regards

    MR

  • Keep in mind the security associations here, you are not doing host -> ANY in the ipsec tunnel but specific networks / hosts to eachother. 

    IPSEC would drop all traffic that doesn't match the security association. 

    You can get around this for inbound traffic by doing a Full NAT on the remote gateway that changes the source to go through the tunnel and hit the site on the other side. 

    Something like:

    For traffic from ANY host

    Using service: whatever service

    Going to: External of UTMgateway2

    Change destination to:  Webserver IP across the tunnel

    Change source to: Interface IP of this side of the tunnel

    Check rule applies to IPSEC packets. 

  • You guys might both be interested in considering Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  All of the screens are in English, Marcello, so even if you don't read German, you should find the article accessible.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just a quick update on how I work arounded finally the question. I created a RED tunnel and bridged a new interface in HQ UTM to it. Then I connected a little router WIFI to the bridged interface. When people from branch office come to HQ with their laptops, they connect to the bridged WiFi so they can continue to access internet presenting Branch Office WAN IP,  mantaining their accesses on cloud resources.

    A big thank to all, every ideas and suggestions came from this community 

  • Just a follow up on this as I am setting up a similar setup right now - Do i need to actually have two separate tunnels/gateways/connections created? I'm not understanding how this segregates the traffic whether they are listed as separate networks within the tunnel or separate VPN connections/tunnels? 

  • Not sure what you mean by "a similar setup," Aaron.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Similar setup in the sense that I have a branch office and a HQ and trying to route all the internet bound traffic for a subnet to another site for an exit point.

    I tried with the policy based route which breaks the connection and doesn’t work / nothing pings or routes.

    If I try adding 0.0.0.0 to the IPSec tunnel - the tunnel doesn’t establish.

    My question I poorly worded last night was - do I need two entirely independent tunnel connections or just the subnets to be listed separately in the local/remote networks on either side respectively ?

  • Show us pictures of the Edits of the IPsec Connection and Remote Gateway for both sides and tell us if/where Web Filtering is being done - the exit point site or not or both.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well, now I can get the tunnel to establish (I believe it was a double-NAT issue on the "Branch" side). My goal here is get only one specific subnet to route its internet traffic via a second ipsec tunnel.

    Unfortunately, when I get the tunnel to establish, all the branch side sophos traffic (as in, traffic generated on the Sophos itself) seems to try and go through the tunnel or just quits working altogether. Traceroute no longer works, cannot ping externally, etc. A review of the routes under Support>Advanced shows that the Sophos is trying to default all traffic via the new tunnel.

    This isn't the intended routing so first and foremost I need to find a solution to this. 

    The branch Sophos has 1 NAT rule that routes internet bound traffic from a source of "any" out on a WAN public IP of the branch Sophos. 

  • Pictures please!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data