Route traffic through an IPsec VPN tunnel
Zitat von mpachmann am 25. März 2025, 15:52 Uhrhttps://support.sophos.com/support/s/article/KBA-000003863?language=en_US
Overview
This article describes the steps to route Sophos Firewall-initiated traffic through an IPsec VPN tunnel.
Product and Environment
Sophos Firewall - All supported versions
In the following example, a Sophos Firewall connects with another Sophos Firewall. The traffic generated by the branch office (BO) firewall is routed to the IP address 172.16.1.15 in the head office (HO) network.
Prerequisite
Configure a preshared key by following the steps in Sophos Firewall: Create a policy-based IPsec VPN connection using preshared key.
Routing traffic through an IPsec VPN tunnel
- Add an IPsec route at the BO.
- Apply a source NAT policy on its Sophos Firewall-initiated traffic so that its source IP address is internal.
- Access your Sophos Firewall console.
- Select Device Console.
- Run the following
ipsec_routecommand to add an IPsec route to the host destination.Syntax:
system ipsec_route add [host] [ipaddress] [tunnelname] [string]Example:
system ipsec_route add host 172.16.1.15 tunnelname BO_to_HO- Run the following
advanced-firewallcommand to NAT the Sophos Firewall traffic to the desired public IP with the private LAN IP:Syntax:
set advanced-firewall sys-traffic-nat [add|delete] [destination] {destination IP address} [interface] {interface} [netmask] {netmask} [snatip] {snat IP address}Example:
set advanced-firewall sys-traffic-nat add destination 172.16.1.15 snatip 172.16.2.1- Go to the Gateway settings section of the BO IPsec configuration and add the BO WAN IP to the Local subnet field and the HO WAN IP to the Remote subnet field.
The configuration above should also work when you set a DHCP Relay over IPsec. See Sophos Firewall: Configure as a DHCP relay agent.
Related information
https://support.sophos.com/support/s/article/KBA-000003863?language=en_US
Overview
This article describes the steps to route Sophos Firewall-initiated traffic through an IPsec VPN tunnel.
Product and Environment
Sophos Firewall - All supported versions
In the following example, a Sophos Firewall connects with another Sophos Firewall. The traffic generated by the branch office (BO) firewall is routed to the IP address 172.16.1.15 in the head office (HO) network.
Prerequisite
Configure a preshared key by following the steps in Sophos Firewall: Create a policy-based IPsec VPN connection using preshared key.
Routing traffic through an IPsec VPN tunnel
- Add an IPsec route at the BO.
- Apply a source NAT policy on its Sophos Firewall-initiated traffic so that its source IP address is internal.
- Access your Sophos Firewall console.
- Select Device Console.
- Run the following ipsec_routecommand to add an IPsec route to the host destination.Syntax: 
 system ipsec_route add [host] [ipaddress] [tunnelname] [string]Example: 
 system ipsec_route add host 172.16.1.15 tunnelname BO_to_HO
- Run the following advanced-firewallcommand to NAT the Sophos Firewall traffic to the desired public IP with the private LAN IP:Syntax: 
 set advanced-firewall sys-traffic-nat [add|delete] [destination] {destination IP address} [interface] {interface} [netmask] {netmask} [snatip] {snat IP address}Example: 
 set advanced-firewall sys-traffic-nat add destination 172.16.1.15 snatip 172.16.2.1
- Go to the Gateway settings section of the BO IPsec configuration and add the BO WAN IP to the Local subnet field and the HO WAN IP to the Remote subnet field.
The configuration above should also work when you set a DHCP Relay over IPsec. See Sophos Firewall: Configure as a DHCP relay agent. 
Related information

