Skip to content
Avanet

Create an IPsec route on Sophos Firewall

Sophos Firewall

Normally, Sophos Firewall detects which IPsec tunnel should be used to reach a destination network. With a classic policy-based IPsec tunnel, the remote network is already defined in the tunnel configuration. In some situations, however, you may still need to create an IPsec route manually.

Typical cases include incorrect route selection, overlapping routes, or a destination network that does not go through the expected IPsec tunnel but is sent toward the WAN or another route.

Requirements

  • Access to the Device Console, for example through SSH
  • Name of the IPsec tunnel
  • Destination host or destination network that should be reached through the tunnel
  • Active or correctly configured IPsec connection
  • Matching firewall rules for traffic between the local and remote network

If console access is not yet configured, see Connect to Sophos Firewall via SSH for the steps to connect and open the Device Console.

⚠️ An incorrect IPsec route can send traffic into the wrong tunnel or disrupt existing connectivity. Before changing it, verify the tunnel name, destination network and existing routes.

Policy-based or route-based VPN?

IPsec routes are mainly useful in policy-based IPsec scenarios when traffic is not mapped correctly to the tunnel. With route-based VPNs, you usually use static routes, SD-WAN routes or dynamic routing to the tunnel interface.

Sophos explains the IPsec concepts in the official documentation: IPsec connections - Sophos Firewall.

Show existing IPsec routes

Run the following commands in the Device Console, not in the Advanced Shell.

system ipsec_route show

Document the output before making changes. This makes it easier to verify whether a route was added or needs to be removed again.

Create an IPsec route for a host

If only a single host should be reached through a specific tunnel, use host.

Syntax:

system ipsec_route add host <host-ip> tunnelname <tunnelname>

Example:

system ipsec_route add host 10.33.46.69 tunnelname Azure_CH

Create an IPsec route for a network

If an entire network should be reached through the tunnel, use net.

Syntax:

system ipsec_route add net <network>/<netmask> tunnelname <tunnelname>

Example:

system ipsec_route add net 10.33.46.0/255.255.255.0 tunnelname Azure_CH

Sophos documents the commands here: ipsec_route - Sophos Firewall.

Remove an IPsec route

If the route is no longer required or was configured incorrectly, you can delete it again.

Remove a host route:

system ipsec_route del host <host-ip> tunnelname <tunnelname>

Remove a network route:

system ipsec_route del net <network>/<netmask> tunnelname <tunnelname>

Then check the list again:

system ipsec_route show

Test the change

After creating or removing an IPsec route, test the affected traffic deliberately:

  • Check reachability of the destination host or network with ping or traceroute
  • Check the Log Viewer for allowed or dropped traffic
  • Use Packet Capture if needed
  • Verify whether firewall rules and NAT rules match the intended traffic
  • If multiple routes match, check the Sophos Firewall routing priority

NAT note

An IPsec route defines the path into the tunnel. It does not replace firewall or NAT rules. If NAT is used in the IPsec scenario, verify the NAT configuration as well. Sophos explains routing and NAT for IPsec tunnels in the official documentation: Routing and NAT for IPsec tunnels.