Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 11337 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN SSL bind to local Interface

nexon
Hi Guys!

I've a question:
Is it possible to Route only a single subnet trough a Site-to-Site VPN SSL tunnel?
It works with all networks but not with a specific one.
My goal is it, to Route Network1 trough the tunnel, and Network2 direct to the internet.

Thanks for your help!
Greetz
Nexon


This thread was automatically locked due to age.
Parents
  • 0
    Please click on [Go Advanced] below and attach a picture of the Edit of the SSL VPN definition.  Also, a picture of your 'Interfaces' tab and one of the 'Masquerading' rules.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Nexon or Bob, was there ever a solution for this... I am trying to do the same thing...

    I want to route the traffic for the specific Internet destination over an IPSEC connection to a remote site to process...

    Both my Main and Remote sophos devices can communicate with no problems, but now I am just lost on getting the Main network segment to redirect over to the remote network for the one specific Network that I need to source from my Remote site...

    Main Sohpos
    eth0: 10.0.25.1/24
    IPSEC Respond only
    Remote Gateway Remote Networks: 10.0.1.0/24, 8.8.8.0/24
    IPSEC Connection Local Networks: 10.0.25.0/24

    Remote Sophos
    eth0: 10.0.1.1/24
    IPSEC Initiate only
    Remote Gateway Remote Networks: 10.0.25.0/24
    IPSEC Connection Local Networks: 10.0.1.0/24, 8.8.8.0/24

    Thanks...

  • 0 in reply to BrianGleason

    This would route 8.8.8.0/24 from Main Sophos through IPSec tunnel to Remote Sophos.

    However, to make sure this traffic gets translated to the internet, you will need to create a masquerading rule at Remote sophos where you masquerade 10.0.251.0/24 to the internet.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    When I set it up like this, mind you not with the masquerading rule just yet, I get the following..:

    tracert 8.8.8.8

    Tracing route to google-public-dns-a.google.com [8.8.8.8]
    over a maximum of 30 hops:

    1 1 ms <1 ms <1 ms gateway [10.0.25.1]
    2 gateway [10.0.25.1] reports: Destination host unreachable.

    Trace complete.

    So and I really making it over to the remote router, otherwise, I would expect that router to reply...?

Reply
  • 0 in reply to apijnappels

    When I set it up like this, mind you not with the masquerading rule just yet, I get the following..:

    tracert 8.8.8.8

    Tracing route to google-public-dns-a.google.com [8.8.8.8]
    over a maximum of 30 hops:

    1 1 ms <1 ms <1 ms gateway [10.0.25.1]
    2 gateway [10.0.25.1] reports: Destination host unreachable.

    Trace complete.

    So and I really making it over to the remote router, otherwise, I would expect that router to reply...?

Children
  • 0 in reply to BrianGleason

    Note that ping and trace route are regulated on the 'ICMP' tab of 'Firewall'.  The "Any" Service includes only TCP and UDP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML