XFRM Interface not editable

Hello there,

Thank you for contacting the Sophos Community.

When you configured the Tunnel Interface IPsec, you chose IPv4 for the IP version and entered the SAs (Local Subnet) (Remote Subnet), which is why you can't configure the xfrm, since the tunnel already knows the SAs.

"The XFRM interface is configured for specific local and remote subnets. You can't assign an IP address or routes to the interface."

If you want to add an IP to the xfrm you would need to choose DUAL when configuring the IPsec Tunnel Interface.

Regards,

Hello EmmoSophos,

DUAL - what does Dual mean? IPv4 and IPv6? 

In 18.5 MR-3 it was possible to leave the network empty in case of a tunnel interface. In Version 19.0 this led to an error (with IPv4 selected). However it was possible to use "Any" for the networks. Is this working as well? At least it was possible to enter the IP Adress.

Really strange. With each new version this behaves different. Let you development have a look on other vendors like fortigate where this behaves exactly like an interface.

Regards,
Bernd

Hello BeEf,

Yea that's right, either you can have restrict use IPv4 OR IPv6 or both depending upon your requirement. 
And If you select specific subnets rather than "Any", you don't need to add routes or assign an IP address to the tunnel interface.

Thanks. Okay this is getting difficult.

What happens if I want to use a group of networks there? Main purpose was to get this less static and operable without interruption of the policy based tunnels and to be able to use groups of network for configuration of the tunnels/SD-WAN routes and the firewall policies.

What about the routing precedence then? Will I still be able to use SD-WAN on this interface when I configure Subnets on it? The current Routing precedence is Static route, SD-WAN route, VPN route on the remote firewall and Static route, VPN route, SD-WAN route on the central firewall. 

Thanks. Okay this is getting difficult.

What happens if I want to use a group of networks there? Main purpose was to get this less static and operable without interruption of the policy based tunnels and to be able to use groups of network for configuration of the tunnels/SD-WAN routes and the firewall policies.

What about the routing precedence then? Will I still be able to use SD-WAN on this interface when I configure Subnets on it? The current Routing precedence is Static route, SD-WAN route, VPN route on the remote firewall and Static route, VPN route, SD-WAN route on the central firewall. 

Well if you select IPv4 then you still be able to select various network groups as the local network.

And, you can still use the routing precedence and change it to your requirement.
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSetRoutePrecedence/index.html
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/index.html

 

use ANY in IPsec Config for Tunnel Interfaces. That is the standard for all vendors.

You can do a Tunnel Interface WITH subnets but it is something to build for special installations. That is not the default.

Simply use ANY and use the routing stack (SD-WAN, Static etc.). 

LuCar Toni
Thanks. So any in V19 and nothing/empty in V18.5?

Yes. Essentially "Empty" in V18.5 means "Any". It is just another way to reflect it. Because if you look at V18.5 and the Tunnel, you see the tunnel is using ANY (0.0.0.0) for the Tunnel itself. So it means ANY. V19.0 simply reflect ANY. 

So by using DUAL and not configuring anything, it stay "Empty" in V19.0 but it uses ANY. 

{4118}: INSTALLED, TUNNEL, reqid 63, ESP in UDP SPIs: 
{4118}: 0.0.0.0/0 === 0.0.0.0/0