This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN, S-NAT causing IPSEC problems

Hello,

Im planning the upgrade from SFOS v17 to v18, and Im testing my current configs. Currently Im facing a problem with IPSEC tunnels and SD-WAN (with load balance) and SNAT rules.

Based in documentations and videos about theses features:

- https://community.sophos.com/products/xg-firewall/f/recommended-reads/121919/how-to-configure-firewall-rule-and-nat-rule-on-xg-v18

- https://community.sophos.com/products/xg-firewall/f/recommended-reads/118888/sophos-xg-firewall-v18-how-to-choose-the-gateway-for-a-firewall-rule

- https://vimeo.com/376241042

-https://vimeo.com/390800287

Im having problems with IPSEC traffic. All traffic from LAN ZONE to VPN ZONE is using the WAN Gateway insted usage ipsec tunnel/route.

Could someone tell me what is the best and correct way to usage SD-WAN/ SNAT / Load Balance withou impact in IPSEC ?

Im attaching my configs based in videos and dcoumentations

Best regards

Carlos

Firewall Rule

NAT RULE

This thread was automatically locked due to age.

Parents

0 emmosophos over 5 years ago

Hello Carlos,

Thank you for contacting the Sophos Community.

What is exactly what you are trying to achieve?

How is your IPsec tunnel configured, is it Policy base or Route base?

Why are you using SD-WAN?

Why do you want to NAT the traffic of your subnet?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Carlos Cesario over 5 years ago in reply to emmosophos

Hi emmosophos

Thank you by your reply.

Im trying make IPSEC traffic works as in v17. Currently the traffci only Woks if I disable SD-WAN

The tunnel are configured using Policy (it is workins, the tunnel is established, but the routing is not working)

Im using SD-WAN to provide WAN Load balance

Im using SNAT to MASQ the traffic from LAN, once the is the new way to do it, different from v17.

Regards

Carlos
Cancel
Vote Up 0 Vote Down

Cancel
0 Carlos Cesario over 5 years ago in reply to Carlos Cesario

Any tip for this?

Any documentation about this scenario or best practices for this ?

Regards

Carlos
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Carlos Cesario

Policy Based VPN cannot use SD-WAN Routing.

Policy based VPN uses it own Routing (based on the Local / Remote Subnets).

If you want to use static or SD-WAN Routing, you need to switch to Route Based VPN.
Cancel
Vote Up 0 Vote Down

Cancel
0 Carlos Cesario over 5 years ago in reply to LuCar Toni

Hi LuCar Toni

Thanks by your reply.

Well, I dont know if i was clear in my problem, but I do not want usage Route-Based VPN, and Im using SD-WAN rules to make WAN load balance.

As I explained in my previous post, I`m migrating my rules from V17 to V18, and In v17 with a single rule I can do LAN-WAN rule (with NAT MASQ and WAN Load Balancing) and this does not cause impact in my VPN-LAn and LAN-VPN connections. But In v18 I need create 3 Rules.

1 - LAN-WAN Polic

2 - SNAT Policy

3 - SD-WAN for WAN Load Balance

(All this based in documentation and videos provide by Sophos)

But when I enable SD-WAN rule this caus impact on IPSEC traffic, instead the traffic flow by ipsec0 interface the traffic try flow by WAN interface.

based this I would like the correct way to to it as in V17.

best regards

Carlos
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Carlos Cesario

You need to change your route precedence.

See online help: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html
Cancel
Vote Up 0 Vote Down

Cancel
0 Carlos Cesario over 5 years ago in reply to LuCar Toni
Hello LuCar Toni

Thank you by your tip.

But I have one more question.

Is this the best way or best practice for "fix" this behaivor ?

Im asking because after check the route precedence in V17 and v18, both are equals and in V17 as mentioned I never did not need make no changes in v17 to this work, and I did not found no document for v18 making this as mandatory when using VPN + SD-WAN.

v17

console> system route_precedence show
Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes
console>

v18

console> system route_precedence show
Routing Precedence:
1. SD-WAN policy routes
2. VPN routes
3. Static routes
console>

Best regards

Carlos
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Carlos Cesario over 5 years ago in reply to LuCar Toni
Hello LuCar Toni

Thank you by your tip.

But I have one more question.

Is this the best way or best practice for "fix" this behaivor ?

Im asking because after check the route precedence in V17 and v18, both are equals and in V17 as mentioned I never did not need make no changes in v17 to this work, and I did not found no document for v18 making this as mandatory when using VPN + SD-WAN.

v17

console> system route_precedence show
Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes
console>

v18

console> system route_precedence show
Routing Precedence:
1. SD-WAN policy routes
2. VPN routes
3. Static routes
console>

Best regards

Carlos
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 5 years ago in reply to Carlos Cesario

V17 Default settings are SD-WAN, VPN , Static

V18 Default settings are static, vpn, SD-WAN

But only if you setup a new firewall.

If you upgrade, XG will not reconfigure your settings, to not "destroy" configuration setups.
Cancel
Vote Up 0 Vote Down

Cancel
0 Carlos Cesario over 5 years ago in reply to LuCar Toni

Hi LuCar Toni

You are right, maybe the current values were migrated from V17

But according the documentation the default v18 values are:

static sdwan_policyroute vpn

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

In this case to fix this behaivor I will need change the route_precedence.

Best regards
Cancel
Vote Up 0 Vote Down

Cancel