Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 8429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Three way site2site VPN

isard

Hi all together,

first of all: I am pretty new to Sophos UTMs so I might lack some basics you would otherwise expect me to have.

Currently I am planning a three-way site2site VPN connection.
Later on this will be expanded to connect 16 different locations all connecting to the HQ.
We decided against RED devices because all locations need to be as independent as possible.

Furthermore all locations share the same LAN subnet (172.17.0.0).

This leads directly to site2site VPN configurations between mostly SG115 firewalls.

At the moment I get the error:
cannot route -- route already in use for "X_location a to location b"
Bot sides are behind a router and NATed, but adding the local IP as VLAN-ID solved that as it seems.

From other posts I guess my failure lies within the assigned IP-Adresses on the interfaces.
LAN-Interface: 172.17.2.23/255.255.0.0
WAN-Interface: 172.17.2.22/255.255.0.0

So I will change the IP on the wan interface.
The question is: In wich way?

Will it work when all  locations (3 for now) have the same subnet on the WAN-Interface?
Example:

Location A
LAN-Interface: 172.17.2.23/255.255.0.0
WAN-Interface: 172.18.2.23/255.255.255.0

Location B
LAN-Interface: 172.17.2.24/255.255.0.0
WAN-Interface: 172.18.2.24/255.255.255.0

Location C
LAN-Interface: 172.17.2.25/255.255.0.0
WAN-Interface: 172.18.2.25/255.255.255.0

and so on...


Another idea is to split all connections evenly by using 255.255.255.248 on router and WAN-Interface of the firewall.
Later on it is planned that all offices should be able to contact AD, DNS etc. from the HQ.

I hope you could help me to clarify this problem because otherwise I already see myself driving between all offices for days :)

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • +1

    You are going to have a hard time routing when all sites use the same subnet. You can only do it by NATTING al traffic to all sites into different subnets.

     

    I'm not sure I understand your IP-scheme; you are talking about having same subnet for every location both on LAN and WAN? Usually at least the WAN should have different IP-addresses.

    I'll try to give you a go in how to solve

    1) Best would be to change subnets on every site so every site had unique subnet. This will be by far the easiest solution which is also easy to understand when you need to change something later on.

    2) on HQ (172.17.0.0/16) create a VPN tunnel to site X. Configure a different subnet for site X (ie 172.18.0.0/16). Also create a different subnet for HQ (otherwise Site X cannot route to it, ie 172.1.0.0/16) and use this as local in HQ VPN connection.

    Also in HQ create a SNAT rule for traffic from internal (network) to 172.18.0.0/16 ("new" site x subnet) translate source to 172.1.0.0/16 ("new" HQ subnet). And create a DNAT rule in HQ traffic from 172.18.0.0/16 going to 172.1.0.0/16 change destination to 172.17.0.0/16 (real IP).

    At site X configure the VPN tunnel using the "new" IP-range as local (172.18.0.0/16) and 172.1.0.0/16 as remote.

    At site X create a SNAT rule traffic from Internal (Network) going to 172.1.0.0/16 change source to 172.18.0.0/16 and create a DNAT rule for the return traffic: Traffic from 172.1.0.0/16 going to 172.18.0.0/16 translate destination to 172.17.0.0/16 (Real IP).

    You will have to "make up" different subnets for all your sites and at every site make the required DNAT and SNAT rules. For HQ you can have only one NAT subnet (in my example 172.1.0.0/16) since this will be unique among all other subnets. If you also need to have all sites communicate to each other (and not just to HQ) then you will need to write even more NAT rules from every site to every other site.

    As you will see, it can be done but you will quickly become lost in all the NAT subnets, so best would really be to change subnets so every site has a unique subnet to start with.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks for your help,

    that was pretty much what I feared :)

    Even with only all offices VPN to the HQ that would be a lot of NATs.
    I hoped for some nifty built-in solutions on the firewall itself when using Sophos on both ends.

    Guess thats what the REDs are for but sadly REDs are out of question as stated above.

    I will test a new subnetting form with a test device and report back if there are still issues.


    Thanks for clarification!

  • 0 in reply to isard

    As for the RED's and independancy for each site you could maybe configure it like this:

     

    On RED location have your clients point their default gateway not to the RED (which will fail whenever the RED tunnel is down), but to the perimeter device. Then in this device create static routes for HQ which reroute to the RED.

    This way normal internet will always work and will keep working when RED tunnel is down.

     

    Also you can create RED tunnels between 2 UTM devices! You can have 1 of the UTM's act as a RED server and the other as a RED client.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks for the follow-up information about the RED, I will share that info internally.
    For clarification: With perimeter device you mean for example the router or similar?
    Just asking because of language/translation differences.

    About Sophos UTM with RED-Tunnel: I would love to.
    Sadly no avail since the existing licenses are just Basic Guard which do not allow for RED management.
    I guess both firewalls need to be licensed for RED usage (instead of only the one in the HQ for example)?
    Might as well ask our resellers but they do not seem to be well informed about sophos licensing (already sold us 2 instead of 1 license for a/p cluster for example).

    In the meantime I seperated the networks on a testing device.
    The VPN connection between HQ and test-device is now working, thanks again! :)

  • 0 in reply to isard

    Yes, perimeter device is the router or just any other firewall sitting in front of the RED.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Ok, thanks :)

    I will forward that information.

  • 0 in reply to isard

    Hi and welcome to the UTM Community!

    You might also be interested in

    How to tunnel between two UTMs which use the same LAN network range & More VPN between same subnets.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML