Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-IPsec-tunnels

Routing and NAT for IPsec tunnels

Routing and Network Address Translation (NAT) configurations for site‑to‑site IPsec VPNs depend on the tunnel type and the traffic you want to send through the tunnels.

Learn about the automatically created routes and the routing and NAT settings you can configure on the web admin console and the CLI.

Routing

NAT rules don't change the firewall's routing decision. The firewall needs a route to the destination.

One of the following configurations is needed to route traffic:

  • VPN routes: The firewall automatically creates these routes at the backend for policy-based IPsec connections.
  • Static, SD-WAN, and dynamic routes.
  • The ipsec_route command on the CLI for forwarded traffic. System-generated traffic doesn't require this command.

The routing precedence set on the CLI determines the type of route the firewall tries to match first. See Routing.

NAT

Learn about the routing and NAT requirements for site-to-site IPsec VPNs.

NAT configurations for IPsec VPNs

You can configure NAT using one of the following configurations:

  • IPsec connections: These include NAT settings.
  • NAT rules.
  • The sys-traffic-nat command on the CLI: Use it for system-generated traffic. It's the traffic generated by the firewall itself, such as authentication and DHCP.

Use cases

Route-based VPN

(any to any subnets)

 Policy-based VPN
Traffic to a host through existing IPsec tunnel
  1. Static, SD-WAN, dynamic routes
  2. DNAT rule and optional SNAT (MASQ) rule.
See Send remote network's traffic through existing IPsec tunnel to specific hosts.
  1. ipsec_route command
  2. DNAT rule
See Use NAT rules in an existing IPsec tunnel to connect a remote network.
System-generated traffic: Authentication
  1. SD-WAN route with Source networks set to Any.
  2. sys-traffic-nat command
See Route authentication queries.		 sys-traffic-nat command.

See Route authentication queries.
System-generated traffic: DHCP relay Currently, the firewall doesn't send DHCP relay information through route-based VPNs. sys-traffic-nat command

See HO firewall as DHCP server and BO firewall as relay agent.

See Send DHCP traffic over policy-based IPsec VPN to servers.
Same subnets on the local and remote firewalls
  1. Static, SD-WAN, dynamic routes
  2. DNAT rule and SNAT rule
See NAT with route-based IPsec when local and remote subnets are the same.
  1. VPN route at the backend
  2. NAT setting in IPsec configuration
See NAT with policy-based IPsec when local and remote subnets are the same.

Source translation for policy-based IPsec VPNs

Policy-based IPsec VPN traffic usually doesn't require source translation. However, if you need to translate this traffic, make sure the matching SNAT rule has Outbound interface set to Any. The firewall then translates the source to the Translated source specified in the SNAT rule.

This behavior applies even when you select Override source translation (SNAT) for specific outbound interfaces.

Note

When you set the Outbound interface to specific WAN ports instead of Any, the firewall doesn't apply the SNAT rule to policy-based IPsec VPN traffic. For example, the default SNAT rule's Outbound interface is automatically set to the firewall's WAN ports, so the rule doesn't apply to policy-based IPsec VPN traffic.