We'd love to hear about it! Click here to go to the product suggestion community
hi, i have some vlan in my network and create a ethernet vlan on utm interface facing to my lan for each vlan
as a Gateway of each vlan
and since 3 weeks i set up an ipsec s2s with 2 partners one is using ASA the other one is using Cisco ISR as vpn Gateway the tunnel is up on both side, and it is green on the UTM, the remote lan over ASA or Cisco ISR can ping my LAN but from my LAN (over the UTM) i cannot ping them (both)
i Always get a destination host unreachable from the utm interface linked to the LAN which the gateway
i use Sophos sg 210, and made a update toward 9.605-1 of the firmware
noone of you never face to that issue?
anybody cannt help me?
In reply to cheikh ka:
Hi and welcome to the UTM Community!
Please show us pictures of the Edits of the IPsec Connection and Remote Gateway. Also of the 'Site-to-site VPN Tunnel Status' with all details showing. Obfuscate IPs like 98.x.y37, 172.2x.y.17, 192.168.x.27.
Cheers - Bob
In reply to BAlfson:
i can not show you tunnel details cause i am not at my office today
but be sure the status of the tunnel is green and mention SA is etablished
i dont understand what do you mean by "Obfuscate IPs like 98.x.y37, 172.2x.y.17, 192.168.x.27" ??
you mean by that to avoid using those IP's, to not use IP's like those (those are public IP's =98.x.y37, 172.2x.y.17, and this is private IP's = 192.168.x.27")
accord to that i should not use those public IP's to UTM wan interface facing to internet
and i should not use this private to my LAN or to UTM interface facing to my LAN?
i can now give you info that my UTM Wan IP start by 41.x.x.x and my LAN is Something like 192.168.x.x/24 and UTM IP interface linked to this LAN is 192.168.x.x
and one of Partner with whom i am setting up the S2S is also using IP like this 192.168.y.y/32 and the other use IP's like10.x.x.x
Be sur everything is OK on how i set up the ipsec s2s tunnel, the set the Policy at the first time, and after that the remote Gateway and at the end the connection
i enable the auto firewall
waiting for news
I first learned the word obfusquer when I lived in France. When I discovered we had obfuscate in English, I started using it here to describe how to hide peoples' exact IPs. So, instead of showing 220.127.116.11, obfuscate it like 98.x.y.37 - this is clearer than putting something like a.b.c.d or 18.104.22.168. That way, we know it's a public IP. Likewise we know that 192.168.x.27 represents a private IP. Obfuscate in a picture by marking through the octets represented by x and y.
Looking forward to seeing your pictures.
Cheers - Bob
i well understand it, it's just a way to hide the real IPs
but i have some news which can maybe help member and Sophos engineers about the site to site from UTM
So, i was experienced some some cases and fall in one which works
- when i use an IP host (one host IP in my hole network range, we declare as local or remote which is linked to the UTM), i can not ping the remote LAN but the remote site can ping my hosts we put in the tunnel settings , ex : 192.168.X.70/32 or 192.168.X.240/28
- When i use an IP Network (my hole network range, we declare as local or remote which is linked to the UTM), we both can ping each other, things works well, ex: 192.168.X.0/24
I Don't know why but it's not normal, i repeat the scenario twice. how can you explain that?
be aware that we both set the same host or range or Network when configuring the tunnel
what i forget to add is
when i uncheck automatic firewall rule and dont set manuel firewall rule , i get response to pings
i dont like this scenario because it's hole my network can communicate with the remote site which is only a Partner not a branch office
Please show us pictures of the Edits of the IPsec Connection and Remote Gateway. Also of the 'Site-to-site VPN Tunnel Status' with all details showing.