Hi,
after a disappointing phone call with Sophos tech support, i'm asking the community to see if anyone can help me.
i have a functional site to site tunnel, the remote site is a fortigate and the local site is an xg.
10.2.1.0/24 local, 10.0.0.0/24 remote (works just fine)
10.2.1.0/24 local, 0.0.0.0/0 - any - remote (works just fine)
the issue here is, with the fortigate, when i set up the selectors, it allows traffic to route as long as i have a rule for it but for the sophos, it'll automatically route traffic.. it's great for two /24's or whatever, not so great for 0.0.0.0/0.
i'm trying to configure a couple source hosts to route out through ipsec, not all. Sophos tech support said it's impossible, i would have to add them one by one in the VPN ipsec config however that would mean i have to set up a selector for each ip on the far end.
a quick advanced shell rule i've applied works.
XG125_XN03_SFOS 18.0.0 GA-Build339..1# ip rule add from 10.2.1.108 to 10.0.0.0/24 lookup routeipsec0 prio 5
XG125_XN03_SFOS 18.0.0 GA-Build339..1# ip rule add from 10.2.1.108 lookup wanlink1 prio 6
XG125_XN03_SFOS 18.0.0 GA-Build339..1# ip route show table routeipsec0
default dev ipsec0 scope link
XG125_XN03_SFOS 18.0.0 GA-Build339..1# ip route show table wanlink1
default via internetgateway.153 dev Port2 proto static src myip.154
prohibit default proto static metric 1
XG125_XN03_SFOS 18.0.0 GA-Build339..1#
so now, everything going from 10.2.1.108 to 10.0.0.0/24 routes over ipsec and everything else to the internet goes out the default gateway on the system.
why is it not possible to do routing from the firewall section in the sophos because i'm not sure how long my custom rules will last above.
my goal once again, allow the capability of routing to the internet over ipsec but i'd like to set which source ip's can do this.
thank you
This thread was automatically locked due to age.
