IPSec VPN as outbound Policy

HarleyBoy · June 29, 2016, 5:39am

Hello

I can’t see that this has been answered, unless someone can point me in the right direction of course.

I have a Balance 30 (6.3.1 build 3138) with an Active/Established IPsec VPN and I want to route, for example, all web traffic via the IPsec VPN. However regardless of the “Algorithm” I choose the Established IPsec VPN doesn’t show as an option to choose from. Am I missing something? Is there another way round this?

Any help would be appreciated.

Thanks in advance.

HarleyBoy

TK_Liew · June 29, 2016, 3:02pm

You can route traffic by using Outbound Policy if you are using PepVPN/SpeedFusion tunnnel.

Are you referring to route HTTP/HTTPS to IPSec tunnel? If so, this is not possible. If you wish to route all traffic to IPSec tunnel, you may configure as below.

HarleyBoy · July 1, 2016, 4:32pm

That’s a real problem for us. Were planning to install 1 of these in each of the customers 30+ sites and each will point back to a 3rd party proxy server.

Is there anyway of excluding certain traffic if we have to route all subnets through the VPN?

Can this be added in a future release?

Thanks

HarleyBoy

TK_Liew · July 3, 2016, 12:25pm

This can be achieved if HQ and remote sites are using PepVPN/SpeedFusion instead if IPSec tunnel. Please consider using PepVPN/SpeedFusion.

HarleyBoy · July 3, 2016, 3:10pm

Thanks but that’s not possible. As I have said, the “HQ” as you call it is a 3rd party we use as a proxy for web content filtering.

TK_Liew · July 4, 2016, 9:16am

Unfortunately, you can’t achieve what you need in IPSec tunnel. Below is the suggestion:-

Clients —> New Balance router/PBR router (WAN1) —HTTP, HTTPS—> Existing Balance router —IPSec—> Remote IPSec router
--------------------------------------------------(WAN2) —> Internet

Hope this help.

hcardenas · March 29, 2019, 3:19pm

Hi @TK_Liew.

Since this topic was created a few years ago I have to ask again…

Is it available in any of the latest firmware an option to enforce specific traffic (HTTP and HTTPS) through an IPSec tunnel in the outbound policy section? (as we can do for pepvpn profiles)

Thanks!!

sitloongs · March 31, 2019, 6:46pm

@hcardenas

Just curious third party device able to do the same feature ?

hcardenas · April 1, 2019, 7:16am

Hi @sitloongs

At the moment there is no third party device… just the Balance 305 (85 units) balancing the connections.

The objective is to force HTTP and HTTPS traffic through an IPSec tunnel to Forcepoint. Any other traffic should be routed directly to Internet (for example office 365)… In the short-term future, there will be an SpeedFusion tunnel to a central office for the ERP system traffic.

HarleyBoy · April 2, 2019, 8:31am

Other third party devices do have this feature.

We attempted the work around, as mentioned earlier in the thread, that was to have the remote networks as 0.0.0.0 with a mask of 0.0.0.0 but this obviously can’t select traffic bassed on service or port, it just sends the lot up the VPN. I should add also, certainly on the Balance 20’s and 30’s, routing all that traffic kills the CPU off and we saw the router report online offline on a regular basis throughout the day, such that this ended up not being a solution in the end unfortunately.

hcardenas · April 2, 2019, 4:12pm

Hi @sitloongs

Is there any option of getting this feature in future firmware releases?

BTW. I forgot to answer you question… Even though we are not replacing a third-party device, as far as I know, other brands make use of an IPSec tunnel in “interface mode”, this way policy routes can be applied.

Thanks and best regards.

sitloongs · April 2, 2019, 5:01pm

Feature filed but no ETA for now.

hcardenas · April 3, 2019, 6:23am

Noted with thanks @sitloongs

Best regards.

nicklaz · October 18, 2019, 10:05am

My company is also interested in this. We would like to be able to use IPSec VPN as an option in the Outbound Policies.