Static Routers over IPSEC tunnel
-
I have a IPSEC tunnel configured as follows.
Site A (Sophos XG) 192.168.40.0/22 to Site B (pfsense) 10.1.1.0/22
At site B i have a Zabbix installed install at 10.3.1.2 on a separate VLAN. I want this Zabbix instance to access the XG at Site A via SNMP.
I have altered the firewall at the Sophos XG end (Site A) but i need to configure the pfsense with i presume a static route? or would it be as simple NAT port forward?
I'm a little unsure on the next steps, can anyone offer any guidance? -
@nabberuk
Is it a routed IPSec or a policy based?Assuming it's the latter, you can only do that with BINAT inside IPSec phase 2, or add an additional phase 2 for the Zabbix.
-
Route based (i think), is there a way to tell from pfsense?
-
@nabberuk
Check the phase 2 mode. -
@viragomann ah its Tunnel IPv4
-
@nabberuk
So that's an traditional policy based tunnel as I assumed. -
@viragomann So for the BINAT option i would add in the subnet of the Zabbix server?
-
@nabberuk
Exactly. Map it to any free IP within the local network.
Or add an additional phase 2. But this also needs to be done on the Sophos. -
That may or may not work depending on how the Sophos handles duplicate P2 connections. It will appear to overlap the existing P2 at the Sophos end.
If you have control of both ends of the tunnel just add a new P2 to cover 10.3.1.0/24 (?) to 192.168.40.0/22. Or something more specific if you like.Steve
