Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 1057 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy route to device on far end of ipsec tunnel

bc_sophos

I think this has been answered somewhat indirectly in the forum more than once, but I want to ensure that my understanding is correct by asking in the most direct way possible.

Is there any way to route select traffic (might be by source, might be by application, might be a combo) that is bound for the internet to a device on a network at the far end of an ipsec tunnel?

  • My side of the ipsec tunnel: Sophos XG
  • Remote tunnel termination: non-Sophos
  • Remote "security device" that I want to direct select internet-bound traffic through: non-Sophos, and not the same device as the tunnel termination

My inclination would be to use policy routing for this. But policy routing needs a Gateway object as a destination. I don't think that my remote security device can be defined as one, since it is not on the same network as any of my XG's interfaces (?).

My ipsec tunnel works. My source hosts can reach the remote security device over the tunnel. I just need to know if the XG is able to direct select internet-bound from select source hosts of to that remote security device.

Thanks.

bc



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    My tunnel is to an AWS VPG. Now I see that the instructions I followed for setting up my XG state that "Sophos XG Firewall supports only policy based VPN currently and there is a limitation of one Security Association (SA) for policy-based VPN devices on the AWS Virtual Network Gateway."

    It sounds like what they should have said is that an XG can only connect to an AWS VPG using policy-based VPN, but that XG is capable of tunnel-based to other devices/services that support it. Is that right?

  • 0 in reply to bc_sophos

    I upgraded from v17 to v18 so that I could define a tunnel-interface-based ipsec connection. My VPN to AWS is active+connected. I cannot seem to route packets through the new tunnel. I have defined a static route to my AWS VPC through my new ipsec VTI (xfrm1). I have also defined a similar SD-WAN policy route which directs traffic to xfrm1.

    1) I would like to see the basic functionality of the tunnel-interface-based (VTI) ipsec working from Sophos XG to AWS. Does anybody out there have it working?

    2) In my original post I specified that ultimately I would like to be able to define a policy-based route to a remote device which is not the same device as the far-end VPN termination. Even if I get VTI ipsec working from the XG to AWS, I'm not sure this will be possible. I would still need to define that device as a Gateway object on the XG, and I won't be able to do that because I have no interface on the XG on the same network as that remote device. Note that my xfrm1 interface has an IP on a 169.254 network that corresponds with AWS's inner tunnel IP on the far end. Whereas the device I ultimately want to steer traffic to is in a subnet within the target VPC on 172.20.16.0/24. Is something wrong with my approach?

  • +1 in reply to bc_sophos

    As i cannot test it right now, i am pretty sure AWS and azure prefer to do Route based VPN over policy based. Its in their interest to do route based to "save" to keep the SA up/running.

    You could run BGP, if you like: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html

    https://aws.amazon.com/vpn/faqs/?nc1=h_ls

    A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

     

    https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

    AWS is heavily talking about BGP, which you "could" run on a XG, if you want. 

     

    You will actually simply put a new route with 0.0.0.0 to your AWS destination and route everything or in BGP you use default-originate.

  • 0 in reply to LuCar Toni

    Thank you for the guidance. I got it working using AWS Transit Gateway between VPN tunnel termination on the AWS side and the AWS egress instance.

    Now I can, for example, have all DNS traffic from my private subnet exit to the internet through the XG, but force all HTTP/HTTPS traffic through the remote egress instance in AWS.