This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route all foreign traffic through ipsec

Hello.

I live in a country where foreign traffic is charged but the isps don't charge for traffic from within the country.
What I'm trying to accomplish is to have a sophos utm redirect all foreign traffic through a ipsec tunnel to a central office and then from the central office it can go out to the internet. (Traffic from within the country can go out to the internet straight from the remote office.)

Could someone describe the best method of achiving this?

Thanks!

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago

If the "up" bandwidth in the Central office is higher than the "down" bandwidth in the Remote office, then there shouldn't be any difference in snappyness except for the slight amount created by en/decryption.

Be sure to use the AES 128 PFS policy for the tunnel.  Select 'IPsec encryption algorithm: AES 128 GCM (96 bit)'  if the processors running the two UTMs are capable of AES-NI.

Once you're doing that, you can start building a list of the foreign IPs used by your business.  That would give you an alternative to "Internet" in the tunnel.  I assume that foreign traffic is otherwise blocked for the Remote office, and that they would later need to request you to add new IPs occasionally.

If it's only web surfing you're worried about, the HTTP Proxy in the Remote office could use your UTM as the parent proxy instead of using a VPN.  You then could use a VPN only for specific, limited foreign traffic of other types.

There is no option at present for definitions by exception.  Even if there were, 815K IPs spread over 43 CIDR ranges probably would exceed the design specs for such an "exception group."  The suggestion on the Feature site has only four votes, so I wouldn't expect to see that soon. [;)]

There might be a way to accomplish the specialized routing you want at the command line, but it would certainly void any warranty or support from Sophos.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 9 years ago

If the "up" bandwidth in the Central office is higher than the "down" bandwidth in the Remote office, then there shouldn't be any difference in snappyness except for the slight amount created by en/decryption.

Be sure to use the AES 128 PFS policy for the tunnel.  Select 'IPsec encryption algorithm: AES 128 GCM (96 bit)'  if the processors running the two UTMs are capable of AES-NI.

Once you're doing that, you can start building a list of the foreign IPs used by your business.  That would give you an alternative to "Internet" in the tunnel.  I assume that foreign traffic is otherwise blocked for the Remote office, and that they would later need to request you to add new IPs occasionally.

If it's only web surfing you're worried about, the HTTP Proxy in the Remote office could use your UTM as the parent proxy instead of using a VPN.  You then could use a VPN only for specific, limited foreign traffic of other types.

There is no option at present for definitions by exception.  Even if there were, 815K IPs spread over 43 CIDR ranges probably would exceed the design specs for such an "exception group."  The suggestion on the Feature site has only four votes, so I wouldn't expect to see that soon. [;)]

There might be a way to accomplish the specialized routing you want at the command line, but it would certainly void any warranty or support from Sophos.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data