Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting network to network access through IPSec Tunnel on Sophos XG

Justin Reis

Good day!

I am having to setup a new network for an IP based phone system our organization does not control.  The system needs to work over the IPSec tunnel between two sites running Sophos XGs.  Because we don't have access control over the system, we want to allow the phones to communicate over the tunnel but not the other networks the tunnel currently has access to.  Separate switches are used for the phone equipment and plugged into port 4 on each XG.

Site 1                                                         Site 2

LAN Port (1):                                           LAN Port (1):

192.168.1.x/24 (devices)  talks only to    192.168.2.x/24 (devices) with internet access separately at each site

VOIP Port (4):                                           VOIP Port(4):

192.168.101.x/24 (phones) talks only to  192.168.201.x/24 (phones) no internet access

I think a firewall rule is the right way to go but I am having trouble working out the details.  A little help would be greatly appreciated.

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hello Justin,

    Thank you for contacting the Sophos Community!

    Yes, you are right this is done at the Firewall rule level, you most likely have 2 SA associations created in the IPSec tunnel, so what  you could try, creating a separate zone for the VoIP zones so create a zone called maybe VoIP, and then create a Firewall Voip to VPN and only add the specific services the phones need to communicate with 192.168.201.x/24

    Or create two Firewall rules, one with the subnet of the Port1 and another with the subnet of Port4, so you would have two LAN to VPN rules, and again try to only use the specific services that the phones will use on the Firewall rule.

    Regards,

  • 0 in reply to emmosophos

    Thank you for the quick response.  I wish I was as fast getting back to work on this.

    I tried creating an inbound and outbound rule on each Sophos device but when I add the VoIP networks to existing VPN tunnel, the tunnel will not come up.  I ended up creating a second VPN tunnel for just the VoIP interfaces.  That worked but not what I consider an ideal solution.

    Again, thanks for the help and advice.

Reply
  • 0 in reply to emmosophos

    Thank you for the quick response.  I wish I was as fast getting back to work on this.

    I tried creating an inbound and outbound rule on each Sophos device but when I add the VoIP networks to existing VPN tunnel, the tunnel will not come up.  I ended up creating a second VPN tunnel for just the VoIP interfaces.  That worked but not what I consider an ideal solution.

    Again, thanks for the help and advice.

Children
No Data