Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 3087 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN, S-NAT causing IPSEC problems

Carlos Cesario

Hello,

Im planning the upgrade from SFOS v17 to v18, and Im testing my current configs. Currently Im facing a problem with IPSEC tunnels and SD-WAN (with load balance)  and SNAT rules.

Based in documentations and videos about theses features: 

https://community.sophos.com/products/xg-firewall/f/recommended-reads/121919/how-to-configure-firewall-rule-and-nat-rule-on-xg-v18

https://community.sophos.com/products/xg-firewall/f/recommended-reads/118888/sophos-xg-firewall-v18-how-to-choose-the-gateway-for-a-firewall-rule

https://vimeo.com/376241042

-https://vimeo.com/390800287

 

Im having problems with IPSEC traffic. All traffic from LAN ZONE to VPN ZONE is using the WAN Gateway insted usage ipsec tunnel/route.

Could someone tell me what is the best and correct way to usage SD-WAN/ SNAT / Load Balance withou impact in IPSEC ?

 

Im attaching my configs based in videos and dcoumentations

 

Best regards

Carlos

 

Firewall Rule

 

 

NAT RULE

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Carlos,

    Thank you for contacting the Sophos Community.

    What is exactly what you are trying to achieve?

    How is your IPsec tunnel configured, is it Policy base or Route base?

    Why are you using SD-WAN?

    Why do you want to NAT the traffic of your subnet?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi  

    Thank you by your reply.

    Im trying make IPSEC traffic works as in v17. Currently the traffci only Woks if I disable SD-WAN 

    The tunnel are configured using Policy (it is workins, the tunnel is established, but the routing is not working)

    Im using SD-WAN to provide WAN Load balance

    Im using SNAT to MASQ the traffic from LAN, once the is the new way to do it, different from v17.

     

    Regards

    Carlos

  • 0 in reply to Carlos Cesario

    Any tip for this?

    Any documentation about this scenario or best practices for this ?

     

    Regards

    Carlos

  • 0 in reply to Carlos Cesario

    Policy Based VPN cannot use SD-WAN Routing.

    Policy based VPN uses it own Routing (based on the Local / Remote Subnets). 

    If you want to use static or SD-WAN Routing, you need to switch to Route Based VPN. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  

    Thanks by your reply.

    Well, I dont know if i was clear in my problem, but I do not want usage Route-Based VPN, and Im using SD-WAN rules to make WAN load balance.

    As I explained in my previous post, I`m migrating my rules from V17 to V18, and In v17 with a single rule I can do LAN-WAN rule (with NAT MASQ and WAN Load Balancing) and this does not cause impact in my VPN-LAn and LAN-VPN connections. But In v18 I need create 3 Rules.

    1 - LAN-WAN Polic

    2 - SNAT Policy

    3 - SD-WAN for WAN Load Balance

    (All this based in documentation and videos provide by Sophos)

    But when I enable SD-WAN rule this caus impact on IPSEC traffic, instead the traffic flow by ipsec0 interface the traffic try flow by WAN interface.

     

    based this I would like the correct way to to it as in V17.

     

    best regards

     

    Carlos

  • 0 in reply to Carlos Cesario

    You need to change your route precedence.

    See online help: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello  


    Thank you by your tip.

    But I have one more question.

    Is this the best way or best practice for "fix" this behaivor ?

    Im asking because after check the route precedence in V17 and v18, both are equals and in V17 as mentioned I never did not need make no changes in v17 to this work, and I did not found no document for v18 making this as mandatory when using VPN + SD-WAN.

     

    v17

    console> system route_precedence show
    Default routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes
    console>


    v18

    console> system route_precedence show
    Routing Precedence:
    1. SD-WAN policy routes
    2. VPN routes
    3. Static routes
    console>


    Best regards

    Carlos

Reply
  • 0 in reply to LuCar Toni

    Hello  


    Thank you by your tip.

    But I have one more question.

    Is this the best way or best practice for "fix" this behaivor ?

    Im asking because after check the route precedence in V17 and v18, both are equals and in V17 as mentioned I never did not need make no changes in v17 to this work, and I did not found no document for v18 making this as mandatory when using VPN + SD-WAN.

     

    v17

    console> system route_precedence show
    Default routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes
    console>


    v18

    console> system route_precedence show
    Routing Precedence:
    1. SD-WAN policy routes
    2. VPN routes
    3. Static routes
    console>


    Best regards

    Carlos

Children
Cookie Information Banner