Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 1529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sdwan routing not working

Saugeen Shores Help Desk

I have an XG210 and an XG106.

They are connected by a private circuit on port 2 of each device, and traffic has existing static routes on each to use that to reach private subnets at each end, etc.

We are now turning up IPSEC VPN between them, using the standard ike 2. The vpn itself connects fine and the xfrm interfaces can ping each other ok.

For the remote site, I have one public internet connection from a cable provider (which is the only link under WAN manager).

The upstream private circuit also does have the capability of being internet access through the head office XG210 as well.

Because the private circuit is "LAN" type (with nat and additional filtering upstream), it is not in the wan manager as a default gateway, which is ok.

If I have 1 SD-WAN rule for destination any, using cable internet as primary and the private circuit as backup, it fails over and back properly.

If I try and build my additional SD-WAN rule where i want to just reach certain private networks via the private circuit as primary, and the new VPN secondary, it never works as the destination ANY SD-WAN rule overrides it, even though the private network rule has a more specific destination address.

I've also set it to the top rule in the sd-wan page and it still doesn't take effect.

I see this in the documentation and it simply says to make sure static routing is first, sd-wan second, and vpn routes third.

I don't have any static routes as I have removed the static routes (which work) for sd-wan to allow failover between private circuit and the VPN as backup.

How do I get the private subnets to use the sd-wan rule without totally removing my destination any default sd-wan policy which is doing my internet traffic?

Otherwise I will have to redo my private LAN as a WAN and make new firewall rules to limit traffic as only certain users can use the internet on the private circuit, i don't want it becoming the active link as backup for internet and all users having access upstream to it.

Thoughts?

How do you get more specific sd-wan routes to work without the destination any sd-wan rule overriding everything?
This is easily done on cisco, juniper, etc...



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember in reply to Saugeen Shores Help Desk

    Hi ,

    Thank you for reaching out to Sophos Community.

    Have you created custom gateways to route the traffic over private circuit/IPsec via SD-WAN policy?

    If custom gateways are already added, then request to brief us what traffic you're willing to route through SD-WAN policies(from which location XG106/XG210 and from where(private circuit/IPsec). It would be great if you could brief again with an example and can also post reference snapshots.


    If not, I'd suggest creating a custom gateway for private circuit and xfrm interface under CONFIGURE > Network > Gateways.

    After that, you just need to create SD-WAN policies for required sources/destinations with private circuit/IPsec as a primary/backup gateway.

  • 0 in reply to FormerMember

    Hi, Yes we have a gateway for the VPN and one for the circuit.

    here is how the traffic should be:

    1) Private traffic goes over the private circuit as primary. example being 192.168.3.0/24 remote site with xg106 to 192.168.0.0/24 on the LAN of the XG210.

    2) The route is simply gateway's on the same LAN zone circuit subnet of 172.16.168.0/24
    3) If this should be unavailable (the XG106 senses the xg210 is unavailable via the private circuit), it should fall back to the VPN which has a gateway of 10.0.0.4/30 point to point with .5 on the xg210 and .6 on the xg106. The xg106 is the initiator, the xg210 in listen mode, tunnel).

    4) The internet on the xg106 has a default WAN of a cable provider, DHCP for a static IP from service provider.

    5) Because the private circuit is not meant to be a WAN for all clients attached to the xg106, only a subset (corporate network, not public wireless/dmz users), it is not configured as a normal WAN where it shows up in the uplink manager.

    6) I have one SD-WAN rule of primary being cable provider, secondary being the private circuit, for only corporate lan users internet traffic. Destination is ANY, protocol is ANY.

    7) I have one SD-WAN rule of primary being the private circuit, secondary being the VPN, for only corporate lan users private traffic. DESTINATION is more specific, being only the 192.168.0.0/24 subnet I want to get to, protocol ANY.

    Users on the dmz/public internet just use the default wan uplink (cable provider) with no redundancy.

    8) Right now if I turn on the sd-wan policy for private traffic for corporate users, it actually uses the default internet gateway instead of the more specific SD-WAN rule for the specific corporate subnet over the private circuit or the vpn. 

    I would have opened a ticket, however even though we have 3 years of enterprise protect on both units, the portal is still saying my login is no longer valid since January due to maintenance...

    If someone can look at that first, then I can attach more specific screenshots privately to troubleshoot.

    Thank You

  • FormerMember
    0 FormerMember in reply to Saugeen Shores Help Desk

    Thank you for a brief description.

    As per the said configuration of XG106, traffic to XG210 subnet(192.168.0.0/24) should get forwarded through the private circuit.

    Could you please send me snapshots of interface configuration,  gateway configuration, and SD-WAN policies via PM?