Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1238 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec connection not used

dirkkotte

Hi all,

i have a ipsec-connectin, but packets didn't use these:

XGS2100_RL01_SFOS 19.0.1 MR-1-Build365# ip route show table 220
192.168.192.1 dev ipsec0 scope link src 192.168.179.254

XGS2100_RL01_SFOS 19.0.1 MR-1-Build365# ip route show table all
default via 192.168.178.1 dev Port2 table wanlink1 proto static src 192.168.178.2
prohibit default table wanlink1 proto static metric 1
default via 192.168.178.1 dev Port2 table gw1 proto static
prohibit default table gw1 proto static metric 1
default dev ipsec0 table routeipsec0 scope link
default via 192.168.178.1 dev Port2 table multilink proto static
192.168.192.1 dev ipsec0 table 220 scope link src 192.168.179.254
10.0.0.0/8 via 192.168.92.114 dev Port1 proto zebra
10.0.1.0/24 dev PortMGMT proto kernel scope link src 10.0.1.1 linkdown
172.16.0.0/12 via 192.168.92.114 dev Port1 proto zebra
192.168.0.0/16 via 192.168.92.114 dev Port1 proto zebra
192.168.92.112/28 dev Port1 proto kernel scope link src 192.168.92.113
192.168.178.0/24 dev Port2 proto kernel scope link src 192.168.178.2

but packets use the other LAN-Port (Port1) but not the IPSec connection:

console> system route_precedence show
Routing Precedence:
1. VPN routes
2. SD-WAN policy routes
3. Static routes
console>


 



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to dirkkotte

    Found the following:

    https://support.sophos.com/support/s/article/KB-000038775?language=en_US

    ".... If for example, a particular subnet is accessible over an IPSEC VPN and is also covered by a static route directed to a router in the LAN zone, then the route_precedence command cannot be used to control which route is used."

    Really great ... 

    A known issue:


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Time for routebased vpn i guess? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok, but that would be a workaround again, just because something "normal/standardized" doesn't work properly.
    Yesterday I came across something new... i need the IPSec route too, if i make SNAT before packets passing the tunnel.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Route Based is not a Workaround. It is a better technology. 

    And yes, this is not needed in Route Based as well.

    Policy Based is an old, flunky technology, which has plenty of downsides. 

    __________________________________________________________________________________________________________________

Unfiltered HTML