This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing zwischen 2 VLAN & VPN

Hallo

Folgender Aufbau:

eth0: Internal LAN, IP 192.168.1.1/24

eth5: Internal LAN, IP 192.168.2.1/24, VLAN 2

IPSEC Tunnel zur FritzBox, IP 192.168.3.1/24, über eth5

 

von einem PC im VLAN 2 sind alle Geräte im Netzwerk der fritzbox anpingbar

von einem PC ohne VLAN. also mit einer IP 192.168.1.x ist zwar die 192.168.2.1 anpingbar, aber nicht die 192.168.3.1

Wie muss das Routing eingestellt werden in der Sophos??

Danke schonmal für Hilfe.

VG
Jan



This thread was automatically locked due to age.
Parents
  • Hallo Jan,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    With a correctly-configured tunnel, all of the routing should be handled automatically by WebAdmin.  If doing #1 in Rulz shows that your pings are being blocked, check the selections on the 'ICMP' tab of 'Firewall'.  If that wasn't the issue, show us pictures of the Edits of the IPsec Connection and Remote Gateway - and the FritzBox VPN configuration.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • HI, Thank you for your reply. In ICMP everything is checked. Pictures and config is pasted below.

    How can i add the route to the fritzbox? what can i do better?

     

    vpncfg {
        connections {
            enabled = yes;
            conn_type = conntype_lan;
            name = "Sophos UTM";
            always_renew = yes;
            keepalive_ip = 192.168.2.1;
            reject_not_encrypted = no;
            dont_filter_netbios = yes;
            localip = 0.0.0.0;
            local_virtualip = 0.0.0.0;
            remoteip = 0.0.0.0;
            remote_virtualip = 0.0.0.0;
            remotehostname = "host1";
            localid {
                fqdn = "host2";
            }
            remoteid {
                fqdn = "host1";
            }
            mode = phase1_mode_idp;
            phase1ss = "all/all/all";
            keytype = connkeytype_pre_shared;
            key = "key";
            cert_do_server_auth = no;
            use_nat_t = no;
            use_xauth = no;
            use_cfgmode = no;

            phase2localid {
                ipnet {
                    ipaddr = 192.168.3.0;
                    mask = 255.255.255.0;
                }
            }
            phase2remoteid {
            ipnet {
            ipaddr = 192.168.2.0;
            mask = 255.255.255.0;
            }
            }
            phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
            accesslist = "permit ip any 192.168.2.0 255.255.255.0";
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
            "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

Reply
  • HI, Thank you for your reply. In ICMP everything is checked. Pictures and config is pasted below.

    How can i add the route to the fritzbox? what can i do better?

     

    vpncfg {
        connections {
            enabled = yes;
            conn_type = conntype_lan;
            name = "Sophos UTM";
            always_renew = yes;
            keepalive_ip = 192.168.2.1;
            reject_not_encrypted = no;
            dont_filter_netbios = yes;
            localip = 0.0.0.0;
            local_virtualip = 0.0.0.0;
            remoteip = 0.0.0.0;
            remote_virtualip = 0.0.0.0;
            remotehostname = "host1";
            localid {
                fqdn = "host2";
            }
            remoteid {
                fqdn = "host1";
            }
            mode = phase1_mode_idp;
            phase1ss = "all/all/all";
            keytype = connkeytype_pre_shared;
            key = "key";
            cert_do_server_auth = no;
            use_nat_t = no;
            use_xauth = no;
            use_cfgmode = no;

            phase2localid {
                ipnet {
                    ipaddr = 192.168.3.0;
                    mask = 255.255.255.0;
                }
            }
            phase2remoteid {
            ipnet {
            ipaddr = 192.168.2.0;
            mask = 255.255.255.0;
            }
            }
            phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
            accesslist = "permit ip any 192.168.2.0 255.255.255.0";
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
            "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

Children
  • I'm not familiar with the FritzBox, so maybe someone else can comment on whether you have a policy mismatch.  The FB config mentions 3des, but that's not a part of the UTM Policy.

    I suspect that "VPN Stores (Network)" in 'Local Networks' does not contain 192.168.1.0/24 and that that's your problem.  That also appears to be missing in the phase2remoteid section in the FB.

    In other words, 192.168.1.0/24 needs to be added to the tunnel.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA