Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN remote network routing issue

alexdifra
Hi,
I have three company site with one ASG120 and two ASG220 normally connected in a full mesh topology VPN network.
I have defined three VPN connections: SiteA-SiteB SiteA-SiteC SiteB-SiteC
Site A:
Local network: 192.168.100.0/24
Remote network: 192.168.99.0/24 (Site B)

Local network: 192.168.100.0/24
Remote network: 192.168.101.0/24 (Site C)

Site B
Local network: 192.168.99.0/24
Remote network: 192.168.100.0/24 (Site A)

Local network: 192.168.99.0/24
Remote network: 192.168.101.0/24 (Site C)


Site B
Local network: 192.168.101.0/24
Remote network: 192.168.100.0/24 (Site A)

Local network: 192.168.101.0/24
Remote network: 192.168.99.0/24 (Site B)

Now I would realize a star topology VPN network: SiteA-SiteB SiteA-SiteC.
The hosts in siteC should ping the hosts in siteB without direct VPN connection.
I realize this:

Site A:
Local network: 192.168.100.0/24 and 192.168.101.0 (SiteC)
Remote network: 192.168.99.0/24 (Site B)

Local network: 192.168.100.0/24
Remote network: 192.168.101.0/24 (Site C)

Site B
Local network: 192.168.99.0/24
Remote network: 192.168.100.0/24 (Site A) and 192.168.101.0/24 (SiteC)

All the connections are UP (green) but i can't ping SiteC from SiteB . I can ping SiteB and C from Site A.
Paket filter is setup to allow traffic from B to C.

Any help would be appreciated,

Alex


This thread was automatically locked due to age.
  • 0
    Now you want to do BAC?  This is the way to accomplish what you want:

    Site B: 192.168.99.0/24

    1 Remote Gateway

    Remote Gateway: [Public IP Site A]
    Remote Networks: 192.168.100.0/24 and 192.168.101.0/24
    Local Networks: 192.168.99.0/24


    Site A: 192.168.100.0/24

    2 Remote Gateways and 2 IPSec connections

    Remote Gateway: [Public IP Site B]
    Remote Networks: 192.168.99.0/24
    Local Networks: 192.168.100.0/24 and 192.168.101.0/24

    Remote Gateway: [Public IP Site C]
    Remote Networks: 192.168.101.0/24
    Local Networks: 192.168.100.0/24 and 192.168.99.0/24


    Site C: 192.168.101.0/24

    1 Remote Gateway

    Remote Gateway: [Public IP Site A]
    Remote Networks: 192.168.100.0/24 and 192.168.99.0/24
    Local Networks: 192.168.101.0/24

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    A other solution could be, you take a supernet at Site A
    192.168.0.0 /16
    At Site B and Site C, you point to this net.

    So it should be possible to ping from point B to C and also to A
    Form every Site to every Site
  • 0 in reply to akgolx
    Hi akgolx, your solution works fine once the gateway is the only gateway in your LAN, but if your gateway lays in the same LAN, it does not work.

    For example:
    Site A:192.168.0.0/24, Public IP;
    Site B:192.168.1.0/24, in Site A, 192.168.0.80;
    Site C:192.168.2.0/24, also in Site A, 192.168.0.81;

    Once add a VPN to Site B or C, you can't connect to any 192.168.0.0/24.

    Do you have any solutions?

    Arkle
  • 0
    maybe I missunderstand some infos. so I made a demo configuration at a Lab.
    3xASG120

    Site A
      192.168.0.0/24
      Official IP:x.x.x.x

    Site B

    192.168.1.0/24
    Official IP:y.y.y.y


    Site C

    192.168.2.0/24
    Official IP:z.z.z.z


    Step by Step:

    download x509 Certifacte from site B named it "FromSite-B"  importet at site A
    download x509 Certifacte from site C named it "FromSite-C"  importet at site A
    download x509 Certificate from Site A named it "Fromsite-A  importet at site-B and site-C

    Konfiguration at Site-A
    Site-to-site VPN
      IPSEC
         Remote Gateways
                      Name: site-B
                      Gateway Type: Initiate connection
                      Gateway: created with +  GW-site-B
           iP: Official IP from site-B
                                                           Interface External-WAN (official Ip from Site-A)
                     Authentication Type: Local X509 Certificate
                     Certificate: FromSite-B
                     Remote Network: Lan from Site-B
    Site-to-site VPN
      IPSEC
         Connections
             Name: SiteA-to-SiteB
             remote Gateway: Site-B
             Local Interface: External Wan
             Policy: AES256
             local Networks: with + create name:Supernet
                                                        type:  Network
                                                        Address 192.168.0.0/16
                                                        Interface: Internal
                                                        Netmask:/16 (255.255.0.0)
                                                        auto packet filter: yes (if you like to check traffic set no and configure a packet filter)
                                                        strict routing: no

    I did the same for Site-C


    Next: Konfiguration at Side-B and side-C

    Site-to-site VPN
      IPSEC
         Remote Gateways
                      Name: site-A
                      Gateway Type: Initiate connection
                      Gateway: created with +  GW-site-A
           iP: Official IP from site-A
                                                           Interface External-WAN (official Ip from Site-B)
                     Authentication Type: Local X509 Certificate
                     Certificate: FromSite-A
                     Remote Network: Create with + Name: Supernet
                                                                  Type: Network
                                                                  Address:192.168.0.0
                                                                  Interface: any
                                                                  Netmask: /16(255.255.0.0)

    Site-to-site VPN
      IPSEC
         Connections
             Name: SiteB-to-SiteA
             remote Gateway: Site-A
             Local Interface: External Wan
             Policy: AES256
             local Networks:  Internal (Network)
                                                        auto packet filter: yes
                                                        strict routing: no


    This worked for me: ping from site-C to site-B--->ok viceversa --->ok site-A to site-C-->ok
Unfiltered HTML