VPN: Site to Site and Remote Access Route single host internet traffic via IPSEC remote gateway

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 7 replies
Subscribers 2 subscribers
Views 10159 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route single host internet traffic via IPSEC remote gateway

RobertGareh over 9 years ago

Hello,

I've set up a s2s IPSEC tunnel beween 2 UTM9

Site 1 - 10.0.0.0/24 (UTM=10.0.0.1)

Site2 - 192.168.0.0/24 (UTM=192.168.0.1)

Both sites can see each other perfectly.

What i would like to do is have internet bound traffic from 10.0.0.4 routed over the ipsec tunnel and out via the gateway on the remote side.

I have tried configuring this in Policy routes, but it's not working for me.

Any pointers?

Thanks

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago
You can't use Policy Routes for IPsec VPNs unless you bind the IPsec Connection to an Interface - and then you will have a lot more work to do.

The easiest solution here would be to SNAT the traffic into a new tunnel:

Create a Host definition in both UTMs like "Phantom .0.4" = 10.0.4.4 (for example).

In Site 1, create a new S2S with "Phantom .0.4" in 'Local Networks' and "Internet" in 'Remote Networks'. Don't select 'Strict Routing'. Make a NAT rule 'SNAT : {10.0.0.4} -> Any -> Internet : from Phantom .0.4'.

In Site2, configure the new S2S with "Any" in 'Local Networks' and "Phantom .0.4" in 'Remote Networks'

Did that do what you needed?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 9 years ago
You can't use Policy Routes for IPsec VPNs unless you bind the IPsec Connection to an Interface - and then you will have a lot more work to do.

The easiest solution here would be to SNAT the traffic into a new tunnel:

Create a Host definition in both UTMs like "Phantom .0.4" = 10.0.4.4 (for example).

In Site 1, create a new S2S with "Phantom .0.4" in 'Local Networks' and "Internet" in 'Remote Networks'. Don't select 'Strict Routing'. Make a NAT rule 'SNAT : {10.0.0.4} -> Any -> Internet : from Phantom .0.4'.

In Site2, configure the new S2S with "Any" in 'Local Networks' and "Phantom .0.4" in 'Remote Networks'

Did that do what you needed?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 RobertGareh over 9 years ago in reply to BAlfson

Thanks Bob... that works with a masq rule on the internet side for Phantom > uplink interfaces
.

Internet browsing works for most, but I have found that some sites do not load - speedtest.net is a good example.

What could be stopping that do you think?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to RobertGareh

Robert, we have an unwritten rule here - one topic per thread - that helps others find answers in the future, helping to avoid new threads that ask the same question.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel