Routing and Firewall Policy for MPLS and IPSec

Hello Ajay Sharma1,

Thank you for reaching out to the community, I have one question, the MPLS link configured on the HO and BO is configured in which zone ? Have you configured it as a WAN zone or a LAN zone or any custom DMZ or MPLS zone ? 

Hello Vivek,

Thanks for prompt response. The MPLS at BO is terminated on ISPs router and the Router at BO is in LAN Zone.

At HO it is in DMZ but we have a L3 Distribution switch where we manage all the routing so the Firewall at HO does not come into scene, whenever the traffic is routed through MPLS from HO. Please refer the diagram below:

Hi Ajay Sharma1 Based on the above diagram setup falls under "asymmetric routing design" and may be stateful bypass rule will fix the routing or you should try to avoid asymmetric routing design by terminating the MPLS connection on the Firewall ports in place of the switch.

 https://support.sophos.com/support/s/article/KB-000038267?language=en_US

How to Bypass Stateful inspection commands given in the below KBA which you may use and tweak as per requirements:

https://support.sophos.com/support/s/article/KB-000044309?language=en_US

Note: Please take a backup of the current configuration before any changes for safety measures and plan changes with a proper downtime window.

Hello Vishal,

Thanks for the reply. To terminate the MPLS link on XG is one consideration, we are in contact with ISP.

Till then can we have it connectd using XFRM Route based VPN?

as per the below statement i KB https://support.sophos.com/support/s/article/KB-000044309?language=en_US :

"In Route-based IPsec site-to-site connection, the XFRM interface is bonded with the interface and the traffic is simply routed through. Using the Stateful inspection bypass for the network between two sites will not cause any issue and will not be inspected by the firewall."

Also, my current setup is as mentioned in the 3rd solution in KB https://support.sophos.com/support/s/article/KB-000038267?language=en_US

Create a new connection from the switch on the left to the firewall on the left, set the client default gateway to the firewall's IP, and create a route to MPLS as a backup for the VPN tunnel

I'm trying to achieve the result using this configuration at BO. But I feel the Firewall Policy is not letting the traffic through. I've achieved this with Fortigate earlier and it worked well, I had to create Policy for LAN to LAN traffic.

Hello Vishal,

Thanks for the reply. To terminate the MPLS link on XG is one consideration, we are in contact with ISP.

Till then can we have it connectd using XFRM Route based VPN?

as per the below statement i KB https://support.sophos.com/support/s/article/KB-000044309?language=en_US :

"In Route-based IPsec site-to-site connection, the XFRM interface is bonded with the interface and the traffic is simply routed through. Using the Stateful inspection bypass for the network between two sites will not cause any issue and will not be inspected by the firewall."

Also, my current setup is as mentioned in the 3rd solution in KB https://support.sophos.com/support/s/article/KB-000038267?language=en_US

Create a new connection from the switch on the left to the firewall on the left, set the client default gateway to the firewall's IP, and create a route to MPLS as a backup for the VPN tunnel

I'm trying to achieve the result using this configuration at BO. But I feel the Firewall Policy is not letting the traffic through. I've achieved this with Fortigate earlier and it worked well, I had to create Policy for LAN to LAN traffic.