This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Site-to-Site can't access all remote networks

Christopher Maldonado over 6 years ago

Hey all,

Can't seem to figure this out, I am sure it's something simple.

We have a NYC Office UTM 9 that has an IPSEC Site-to-site connection to a Texas office UTM 9.

----------------------------------------------------

NYC Office IPSEC Settings:

Local Networks:

NYC LAN 1 : 10.50.0.0/24

NYC LAN 2 : 10.80.0.0/24

NYC LAN 3 : 10.50.1.0/24

NYC LAN 4 (SSL VPN pool) : 10.242.2.0/24

Remote Gateway Name: TexasSophos

Remote Gateway settings:

Type: Initiate

Gateway : WAN address of the Texas Site

Preshared Key

VPN ID: IP Address

Remote Networks:

Texas Server LAN: 10.1.0.0/24

Texas Workstation LAN: 10.1.1.0/24

Texas Wifi LAN: 10.1.2.0/24

Texas Voice LAN: 10.1.3.0/24

----------------------------------------------

Texas Office IPSEC Settings

Local Networks:

Texas Server LAN: 10.1.0.0/24

Texas Workstation LAN: 10.1.1.0/24

Texas Wifi LAN: 10.1.2.0/24

Texas Voice LAN: 10.1.3.0/24

Remote Gateway Name: NYCSophos

Remote Gateway settings:

Type: Respond

Preshared Key

Remote Networks:

NYC LAN 1 : 10.50.0.0/24

NYC LAN 2 : 10.80.0.0/24

NYC LAN 3 : 10.50.1.0/24

NYC LAN 4 (SSL VPN pool) : 10.242.2.0/24

-----------------------------------------------------------------------

I am able to establish all SAs. The issue is that from a workstation on the NYC Office LAN 1 (lets say 10.50.0.56) I can only ping/access hosts on the Texas Server Lan : 10.1.0.0/24 and cannot reach any other of the Texas Lans (Workstation, VOIP or Wifi)

All of the Texas Lans are actual physical interfaces.

I know I am missing something! Help guys please :)

This thread was automatically locked due to age.

0 MrMojoRisin76 over 6 years ago

Sounds like you're missing firewall rules for ingress and egress traffic
Cancel
Vote Up 0 Vote Down

Cancel
0 Christopher Maldonado over 6 years ago in reply to MrMojoRisin76

I have 2 rules that allow any service from NYC networks to Texas network and vice versa
Cancel
Vote Up 0 Vote Down

Cancel
0 MrMojoRisin76 over 6 years ago in reply to Christopher Maldonado

Any Layer 3 switches in the mix? Are you using VLAN tagging at all? Is the default gateway of each LAN the UTM?
Cancel
Vote Up 0 Vote Down

Cancel
0 Christopher Maldonado over 6 years ago in reply to MrMojoRisin76

Texas is an inherited network. All unmanaged switches. Each LAN is a physically plugged into Ethernet ports on the UTM. They all show up as green interfaces. Do I set those interfaces default ipv4 gateway to 10.1.0.1 (the UTM address?) They are forced to be in uplink balancing if so.
Cancel
Vote Up 0 Vote Down

Cancel
0 MrMojoRisin76 over 6 years ago in reply to Christopher Maldonado

I don't believe so. Each default gateway should match the LAN interface they're connected to... so the 10.1.2.0/24 network gateway should be 10.1.2.1 (if the last octet is set to 1 for your gateways), so and so. The routing between the networks should all be handled by the UTM.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christopher Maldonado over 6 years ago in reply to MrMojoRisin76

Yeah that's how I have it. Internally at Texas they can ping eachother but from the NYC office, I can only ping 10.1.0.0/24 network and not the other ones, trying to fix that and I'm lost.
Cancel
Vote Up 0 Vote Down

Cancel
0 MrMojoRisin76 over 6 years ago in reply to Christopher Maldonado

I think in this instance the firewall log will be your friend. Monitor your firewall log while you're trying to ping one of the non-responding networks in Texas and vice versa. What does it say? Can you post a screenshot of your firewall rules?
Cancel
Vote Up 0 Vote Down

Cancel
0 MrMojoRisin76 over 6 years ago in reply to MrMojoRisin76

Also, you may want to consider moving those UTM 9s to XG software. I've been using the XG platform for several months now and it's a much nicer interface, to me, than the UTM 9 software.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christopher Maldonado over 6 years ago in reply to MrMojoRisin76

I appreciate this suggestion but I don't feel I need to switch to XG to fix this. I need to establish more ipsec connections to Texas and I need them to reach printers on the 10.1.1.0/24 network, I can't even seem to get it working from the 1 ipsec I have.

I need help :(
Cancel
Vote Up 0 Vote Down

Cancel
0 Christopher Maldonado over 6 years ago in reply to MrMojoRisin76

Something more interesting.

If I do a continuous ping to a machine on the 10.1.1.0/24 network, I get about 30-40 timed out requests and then I start getting replies. Once I see replies and try to ping the 10.1.0.0/24 network then I get timeouts...until 30 or 40 of them and then I get replies. So it seems like I can ping only 1 network at any given time and have to push continuous pings to start getting replies from other networks. Tried this with 10.1.2.0/24 network and the same thing. How can I get immediate replies from each when pinging them?
Cancel
Vote Up 0 Vote Down

Cancel