Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 11036 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM VPN Client Can't Access Site to Site VPN

psshutdown

We have an SG330 UTM9, I have configured Remote Access>SSL and can successfully connect from the laptop (VPN Client) to the internal network 192.168.1.0/24, however I can't ping a different subnet 10.0.0.0/24 which is on the site-to-site VPN. the IP pool i'm using is 10.30.10.0/24.

I can confirm Ping is enabled in firewall>ICMP

The remote access rule looks like this:

Users and Groups: Active Directory Users

Local Network: Any (for now)

Automatic Firewall Rule: Enabled

Advanced Settings:

Encryption Algorithm: AES-256-CBC

Auth Algorithem: SHA1

Key size:2048

I can ping devices on 192.168.1.0/24

I can't ping 10.0.0.0/24 - destination net unreachable 

Any pointers are appreciated.

 



This thread was automatically locked due to age.
  • 0

    This question has already been asked a lot and user Balfson has written a nice knowledge base article here.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    In Remote Access>SSL profile the local network has the subnet of Site B.

    I have ran tracert on a laptop with the VPN client and it seem to complete but through the external route. 10.1.0.6 is a server in MS Azure.

    below are the results.

    C:\>tracert 10.1.0.6
    Tracing route to 10.1.0.6 over a maximum of 30 hops
      1    70 ms    41 ms    42 ms  172.16.1.1
      2  241.184-108-212.static.virginmediabusiness.co.uk [212.108.184.241]  reports: Destination net unreachable.
     
    Trace Completed
  • 0 in reply to psshutdown

    Did you also configure the VPN-ip pool inside the tunnel between site A and site B?

     

    I can't follow your ip-subnets. In your first post you say internal is 192.168.1.0/24 and remote is 10.0.0.0/24 and IP pool is 10.30.10.0/24 (is this a VPN pool and if so which one?) 

    Also your tracert shows 172.16.1.1 as a first gateway.

    If my first question up here doesn't solve your problem, then please add a drawing of your network layout including the subnets.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Apologies for the confusion, the ip-subnets are examples only.

     

    I configured the Virtual IP Pool in Remote Access>SSL>Settings, I have also put the VPN-IP Pool in site-to-site VPN>Connections (local networks).

  • +1 in reply to psshutdown

    The VPN pool should also be in site B's config as a remote subnet....

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    That did the trick, I completely forgot to check the remote side.

    Thank you.

Unfiltered HTML