Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 28 subscribers
  • Views 1233 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Routing (tunnel interface) - XG to SG/UTM connection

Aaron Becker

I'm trying to migrate UTMs to XG. Currently HQ site has UTM.

BO has a new XG (in test currently) and I can get the IPSec to establish and it has the correct SA if I define the same subnets on each side (typical for the old UTM>UTM style IPsec tunnels).

When I define the Subnets on the XG, a grey note appears (see image) that defining routes or a xfrm interface IP is not required (nor can I do either of these anyways).

On the UTM, the route gets added without an issue. However, on the XG, I'm not getting a route for the remote site subnet and traceroute shows the packets going out the WAN interface (not the tunnel interface) and getting timeouts (of course).

I've watched several of the videos and read a few documents but it seems they all differ slightly in recommendations depending on the version the doc was created for. 



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Aaron Becker

    UTM builds a ipsec0 interface. VTI would mean, there is a XFRM interface per tunnel, which is not the case in UTM. It uses a workaround to bind it to a physical interface, but it is not VTI/XFRM. 

    __________________________________________________________________________________________________________________

Children
Unfiltered HTML