Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1024 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route internet traffic across IPSEC

Stuart James

I have the following setup with an IPSEC tunnel between the two Sophos XG firewalls.

Internet traffic from 192.168.1.1 goes out through Internet 1

I want to say that for traffic with a destination of 8.8.8.8, go across the IPSEC tunnel and out through Internet 2 - all other traffic remains on Internet 1

I've tried:

system ipsec_route add host 8.8.8.8 tunnelname <tunnel>

set advanced-firewall sys-traffic-nat add destination 8.8.8.8 snatip 192.168.1.1

Packet capture shows traffic is being sent to the IPSEC tunnel correctly on Sophos (192.168.1.254) but the traffic never arrives at the other end.

What am I missing?



This thread was automatically locked due to age.
Parents
  • 0

    tcpdump does not show the incoming IPsec packets. But the packet capture on Webadmin shows this traffic. Please take a look at the Packet capture feature under Diagnostic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes that's where I've been checking. Nothing showing up for destination 8.8.8.8 on secondary firewall 192.168.2.254

  • 0 in reply to Stuart James

    Can you show us the screenshots of both packet captures? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok. I simplified the IPs in my diagram. Source server is 172.29.246.1

    set advanced-firewall sys-traffic-nat add destination 7.7.7.7 snatip 172.29.246.1

    system ipsec_route add host 7.7.7.7 tunnelname remotebranch

    172.29.246.0/24 is on the local side of IPSEC tunnel and remote side of IPSEC tunnel. All traffic is flowing fine between the subnets for normal communication, so IPSEC tunnel is working fine and able to see subnet.

    Source side packet capture:

    Destination side packet capture

Reply
  • 0 in reply to LuCar Toni

    Ok. I simplified the IPs in my diagram. Source server is 172.29.246.1

    set advanced-firewall sys-traffic-nat add destination 7.7.7.7 snatip 172.29.246.1

    system ipsec_route add host 7.7.7.7 tunnelname remotebranch

    172.29.246.0/24 is on the local side of IPSEC tunnel and remote side of IPSEC tunnel. All traffic is flowing fine between the subnets for normal communication, so IPSEC tunnel is working fine and able to see subnet.

    Source side packet capture:

    Destination side packet capture

Children
No Data
Unfiltered HTML