Knowledge Base

Bitte , um Beiträge und Themen zu erstellen.

Route traffic through an IPsec VPN tunnel

https://support.sophos.com/support/s/article/KBA-000003863?language=en_US

Overview

This article describes the steps to route Sophos Firewall-initiated traffic through an IPsec VPN tunnel.

 

Product and Environment

Sophos Firewall - All supported versions

In the following example, a Sophos Firewall connects with another Sophos Firewall. The traffic generated by the branch office (BO) firewall is routed to the IP address 172.16.1.15 in the head office (HO) network.

Prerequisite

Configure a preshared key by following the steps in Sophos Firewall: Create a policy-based IPsec VPN connection using preshared key.

 

Routing traffic through an IPsec VPN tunnel

  1. Add an IPsec route at the BO.
  2. Apply a source NAT policy on its Sophos Firewall-initiated traffic so that its source IP address is internal.
  3. Access your Sophos Firewall console.
  4. Select Device Console.
  5. Run the following ipsec_route command to add an IPsec route to the host destination.

    Syntax:
    system ipsec_route add [host] [ipaddress] [tunnelname] [string]

    Example:
    system ipsec_route add host 172.16.1.15 tunnelname BO_to_HO

  6. Run the following advanced-firewall command to NAT the Sophos Firewall traffic to the desired public IP with the private LAN IP:

    Syntax:
    set advanced-firewall sys-traffic-nat [add|delete] [destination] {destination IP address} [interface] {interface} [netmask] {netmask} [snatip] {snat IP address}

    Example:
    set advanced-firewall sys-traffic-nat add destination 172.16.1.15 snatip 172.16.2.1

  7. Go to the Gateway settings section of the BO IPsec configuration and add the BO WAN IP to the Local subnet field and the HO WAN IP to the Remote subnet field.

    The configuration above should also work when you set a DHCP Relay over IPsec. See Sophos Firewall: Configure as a DHCP relay agent.

 

Related information