Routing all traffic over an IPsec tunnel (11.x)

Security Gateway Articles and How to's
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

Routing all traffic over an IPsec tunnel (11.x)

Post by jono » 13 May 2008, 13:47

This How-to applies to:
  • Clavister cOS Core 11.x
This how-to assumes that you already got the Security Gateway and the IPsec tunnel up and running.

Topics covered in this how-to
  • Description of the scenario
  • Setting up the routing
  • Setting up the interfaces
Description of the scenario
In this scenario we have a remote office that is connected to the HQ over IPsec and we want all traffic to always go trough the IPsec tunnel for everything the inside network wants to access. Utilizing the Virtual Router support in Clavister Security Gateway makes this possible.

NOTE: All traffic originating from the Security Gateway itself will always use <main>, that means that traffic like DNS queries, HTTP Poster, NTP and IPsec traffic will use the default gateway defined in that routing table.

Setting up the routes
First of all we need to setup the two different routing tables, <main> and <VR>

Main Routing Table
The first thing to do is to remove all routes from the routing table that has nothing to do with the external network and the Internet, i.e. the internal routes in this case.
When this is done, you should have only two routes in the <main> routing table, it should look something like this:
Main_Routing_Table_Routes.png (11.43 KiB) Viewed 5550 times
VR Routing Table
Now it's time to create a new Routing Table, give it a name, in this How-to we will use VR and choose Only as ordering.
Routing_Tables.png (5.85 KiB) Viewed 5550 times
In this new routing table, add a route for the internal network and a route for all-nets over the VPN interface.
VR_Routing_Table_Routes.png (10.94 KiB) Viewed 5550 times
Setting up the interfaces
When the routing tables are configured the interfaces of the Security Gateway needs to be configured as members of the different routing tables. As standard all interfaces are members of all routing tables but in the scenario we want to force traffic from the VPN and inside to go only trough the <VR> routing table. This is done by defining Virtual Routing Membership on the different interfaces.

For the ethernet interfaces we want to configure Wan as a member of the <main> routing table and Lan in the routing table <VR>. This setting is found under the Virtual Routing tab of the interface
Virtual_Routing_Wan-Lan.png (35.79 KiB) Viewed 5550 times
In this picture example we are using the Wan interface.

IPSec Tunnels
For the IPSec interfaces we want to configure IPsec as a member of the Routing table <VR>.
Virtual_Routing_IPsec.png (37.1 KiB) Viewed 5550 times

Alternative solution

It is also possible to solve this scenario without using additional routing tables, and that is by removing the default route from the <main> routing table and instead routing all-nets over the IPsec interface.
NOTE: The IPsec tunnel itself, must have all-nets defined as remote network, or traffic will not be allowed through the tunnel.
You also need to add single host routes for these addresses:
  • The endpoint of the IPsec tunnel. Usually it also needs the gateway defined: RouteIPv4 Wan remotegw_ip gateway=My_ISP_gw_ip
  • Hosts, such as NTP server, Clavister's CSPN servers etc that provide Antivirus updates etc, if they should not be accessed via the tunnel.

Posts: 41
Joined: 24 Oct 2016, 08:23

Re: Routing all traffic over an IPsec tunnel (11.x)

Post by mape » 20 Dec 2016, 12:18

Updated 2016-12-19