Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 10145 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route single host internet traffic via IPSEC remote gateway

RobertGareh

Hello,


I've set up a s2s IPSEC tunnel beween 2 UTM9


Site 1 - 10.0.0.0/24 (UTM=10.0.0.1)

Site2 - 192.168.0.0/24 (UTM=192.168.0.1)

Both sites can see each other perfectly.

What i would like to do is have internet bound traffic from 10.0.0.4 routed over the ipsec tunnel and out via the gateway on the remote side.

I have tried configuring this in Policy routes, but it's not working for me.

Any pointers?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    You can't use Policy Routes for IPsec VPNs unless you bind the IPsec Connection to an Interface - and then you will have a lot more work to do.

    The easiest solution here would be to SNAT the traffic into a new tunnel:

    • Create a Host definition in both UTMs like "Phantom .0.4" = 10.0.4.4 (for example).
    • In Site 1, create a new S2S with "Phantom .0.4" in 'Local Networks' and "Internet" in 'Remote Networks'. Don't select 'Strict Routing'.  Make a NAT rule 'SNAT : {10.0.0.4} -> Any -> Internet : from Phantom .0.4'.
    • In Site2, configure the new S2S with "Any" in 'Local Networks' and "Phantom .0.4" in 'Remote Networks'

    Did that do what you needed?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    You can't use Policy Routes for IPsec VPNs unless you bind the IPsec Connection to an Interface - and then you will have a lot more work to do.

    The easiest solution here would be to SNAT the traffic into a new tunnel:

    • Create a Host definition in both UTMs like "Phantom .0.4" = 10.0.4.4 (for example).
    • In Site 1, create a new S2S with "Phantom .0.4" in 'Local Networks' and "Internet" in 'Remote Networks'. Don't select 'Strict Routing'.  Make a NAT rule 'SNAT : {10.0.0.4} -> Any -> Internet : from Phantom .0.4'.
    • In Site2, configure the new S2S with "Any" in 'Local Networks' and "Phantom .0.4" in 'Remote Networks'

    Did that do what you needed?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Thanks Bob... that works with a masq rule on the internet side for Phantom > uplink interfaces
    .

    Internet browsing works for most, but I have found that some sites do not load - speedtest.net is a good example.


    What could be stopping that do you think?

  • 0 in reply to RobertGareh

    Robert, we have an unwritten rule here - one topic per thread - that helps others find answers in the future, helping to avoid new threads that ask the same question.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML