Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 27 subscribers
  • Views 44839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to route Internet traffic through the Site-to-Site IPSec VPN?

Joseph Marsden

Hi, I've got a site to site VPN working and I can ping from either side but I don't see any option to route internet traffic as well as network traffic. I also couldn't find any documentation on the subject. If someone could please enlighten me on how to configure the routing for the VPN it would be much appreciated!

Thanks



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Joseph Marsden

    Joseph,

    I am not sure you can achieve that with no issue. XG has its own routing table and with precedences. Try to go to advanced shell and print out the routing table using:

    route -n

    From there check if you see the routing you have added using the console command and you can try to remove its default route 0.0.0.0/0.0.0 using linux commands and see if the IPSec route works.

    Pay attention, because you can lose connection to your XG. Do a backup before doing this.

    Regards

Children
  • 0 in reply to lferrara

    These are the only routes, there is no default route for 0.0.0.0

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 LANBridge
    192.168.137.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
  • 0 in reply to Joseph Marsden

    So even the IPSec Site to Site route is missing?

    Is the IPsec working? What did you put inside the Remote LAN network inside the IPSec tunnel?

  • 0 in reply to lferrara

    Sorry, I meant to say that XG does not have a default 0.0.0.0 route. I wasn't able to reply because adding the 0.0.0.0 route for the IPSec stops my internet from working. Here are the routes, with the new route added:

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ipsec0
    10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 LANBridge
    192.168.137.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
  • 0 in reply to Joseph Marsden

    Hi Joseph,

    I would use a RED tunnel.  It will simplify the setup since the RED is an interface in the firewall.  Creating a gateway is then trivial at that point (just like any other interface).

    Thanks,

    John

  • 0 in reply to axsom1

    Must the RED interface on the master site be exposed directly without NAT? Because I'm hosting the master site on Azure, and Azure places VMs behind a firewall-like NAT (which I've configured to allow all connections), but the IP assigned to the WAN interface is something like 10.1.0.5. Additionally, does the RED interface completely take up the interface? Because I need to use other ports like for the SSL VPN for client devices.

    Joseph

  • 0 in reply to Joseph Marsden

    Hi Joseph,

    With Azure, RED (in my opinion) is easier to deploy.  I use RED tunnels with no issues for our on-prem firewalls into Azure.

    The interface is not a physical interface, but the firewall treats it just like any other interface.  So when you configure the RED options, you will see a new interface called reds<number> created on the firewall.

    Since it's an interface/network, you will need to create or terminate it into the proper zone, create proper routes, firewall rules, etc.

    Feel free to DM me and I can help walk you through a typical setup.

    Thanks,

    John

  • 0 in reply to axsom1

    Thanks, I'll give setup a try and send you a message if I need any help :)

    Thanks, Joseph