This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN over VPN, possibly with SNAT

Hello,

I want to do an IPSEC/IKE Client-Connection to a remote network, but over an existing Site-2-Site tunnel. And I only want to route this Client via Work-Network, not everything at home. For the remote network, it should appear as if the packets are coming from the work-network, although the client is in the home network.

It's like this:

Client@Home / Home-Network (192.168.1.0, Sophos 192.168.1.254) -> S2S -> Work-Network (10.10.10.0, Sophos 10.10.10.254) -> Remote-Network (public IP 193.10.1.1, non-manageable nor managed by me)

Client@Home is doing IPSEC/IKE VPN to the public IP of the Remote-Network.

So, what I'm doing:

I have a standard static route in place, saying: For connections to 193.10.1.1, use Gateway at work (10.10.10.254).

Now I'm thinking, what do I have to put into S2S networks, both local and remote. If anything at this point. All I want to is to establish a VPN-connection, not access any networks inside the tunnel - except the ones that are already set up, like the Home-Network and Work-Network, which are already in there obviously.

I also created the back-route for the Client, I set up a static route for Home-Networks to be the 192.168.1.254, though I don't think that's needed. At this point I am trying to connect the VPN from the Client with the Remote-Network over the Sophos at work. No-go.

I tried packet capture via CLI, monitoring the internal interface of the home Sophos, I see the packets, going from the client to the remote-network public IP, and then just the 2nd packet is already: publicIP sophos@home > client@homeIP: ICMP host "remote-publicIP" unreachable.

If I remove the routing via sophos@work, then VPN connects.

Please, am I missing something obvious?

Thank you.



This thread was automatically locked due to age.
Parents Reply Children