This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED over UTM to IPSEC Tunnel

Dear all

I have an SG330 with two RED devices and an IP-SEC Tunnel connected.
All clients behind the RED and behind the Tunnel connect easily to the central network at SG330

I now need a connection from a client behind a RED to a Server behind the IPSEC Network and I fail to understand.

UTM SG 330 with an internal network: 172.16.0.0/16
RED with a network: 192.168.50.0/24
IPSEC with a network: 172.20.0.0/16

What do I need to configure?
Network Protection Firwall
Interface&Routing/Static Routing
Network Protection/NAT

Thank you for your help and kind regards, Matthias

This thread was automatically locked due to age.

0 twister5800 over 10 years ago

Hi Matthias,

I would try to setup a static route on the IPSEC network router (172.16.20.0/16), telling the router there how to get to the 192.168.50.0/24 network (Which is through the SG330 IP), that should be all, the SG330 should know how to get back :-)

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Technician
Cancel
Vote Up 0 Vote Down

Cancel
0 mjpmotw over 10 years ago in reply to twister5800

Mmh...

As I want RED ---> SG ---> IPSEC

Do I need to add only a route on the IPSEC partner?
(IPSEC goes SG 330 to another ASG 120, means on the ASG 120).

There is no need to do some routing, policy, firewall on the SG330 that terminates both connections?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago
I'm not very good until I can "see" the topology.  Is it?
{192.186.50.0/24}[RED][SG330]{172.16.0.0/16}
                              |
                          (IPsec)
                              |
                       {172.20.0.0/16}

And, you want clients in 192.168.50.0/24 to be able to reach IPs in 172.20.0.0/16?  I don't think you can use routing...
Add {172.20.0.0/16} in 'Split networks' in the RED definition if it is not in "Unified" mode.
Add {192.186.50.0/24} to the IPsec tunnel definition in 'Local networks' in the SSG and in the equivalent of 'Remote networks' in the other IPsec endpoint.
Adjust DNS accordingly.

You may want to limit the VPN to less access for the folks in {192.186.50.0/24}, and you can do that with Firewall rules or with a separate IPsec tunnel between {192.186.50.0/24} and {172.20.0.0/16}.  Any luck with that approach?

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mjpmotw over 10 years ago in reply to BAlfson

The topology is designed wonderful and perfect.

I already have tunnel from {192.186.50.0/24}[RED] to {172.20.0.0/16}[ASG120] but I want to break it as it causes massiv performance issues that I can hardly isolate. Therefore I aim for that routing approach.

My RED have unified tunnels as I like the Webfilter approach (transparent, no proxy). I could use the standard tunnel in RED and use proxy to permit direct internet access but unified tunnel and transparent filtering seemend easier.

I need to check your ideas. I thought this was a simple "routing" issue [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

It is a routing issue, but the problem in the UTM is that you can't route traffic into an IPsec tunnel. If the tunnel doesn't have 'Strict routing' enabled, then you can SNAT the traffic into the tunnel, but that doesn't let you identify the source of requests at the server beyond the tunnel.

I already have tunnel from {192.186.50.0/24}[RED] to {172.20.0.0/16}[ASG120] but I want to break it as it causes massiv performance issues that I can hardly isolate.

That isn't what I understood from your first post. In any case, you might want to check #1 in Rulz.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mjpmotw over 10 years ago

It's working:

The RED Network needs to go to the local network of the IPSEC tunnel config of my main network. It has as well to be in the remote network section of the IPSEC tunnel config of the remote IPSEC network. Bingo [:)]

No routing, no strict routing, no masqerading, just IPSEC Tunnel config.

Regards, Matthias
Cancel
Vote Up 0 Vote Down

Cancel
0 heggen over 9 years ago

Had the same problem that I couldn't communicate from a Client behind a RED to a client behind a S2S tunnel. Your explanations helped me to solve the problem. Thanks guys.
Cancel
Vote Up 0 Vote Down

Cancel
0 wattska over 9 years ago in reply to mjpmotw

It's working:

The RED Network needs to go to the local network of the IPSEC tunnel config of my main network. It has as well to be in the remote network section of the IPSEC tunnel config of the remote IPSEC network. Bingo [:)]

No routing, no strict routing, no masqerading, just IPSEC Tunnel config.

Regards, Matthias

yes this works! thanks. wattska.
Cancel
Vote Up 0 Vote Down

Cancel