ipsec vpn issue on utm 9

 

hi, i have some vlan in my network and create a ethernet vlan on utm interface facing to my lan  for each vlan

as a Gateway of each vlan

and since 3 weeks i set up an ipsec s2s with 2 partners one is using ASA the other one is using Cisco ISR as vpn Gateway the tunnel is up on both side, and it is green on the UTM, the remote lan over ASA or Cisco ISR can ping my LAN but from my LAN (over the UTM) i cannot ping them (both)

i Always get a destination host unreachable from the utm interface linked to the LAN which the gateway

i use Sophos sg  210, and made a update toward 9.605-1 of the firmware

  • Hi,

    noone of you never face to that issue?

    anybody cannt help me?

  • In reply to cheikh ka:

    Hi and welcome to the UTM Community!

    Please show us pictures of the Edits of the IPsec Connection and Remote Gateway.  Also of the 'Site-to-site VPN Tunnel Status' with all details showing.  Obfuscate IPs like 98.x.y37, 172.2x.y.17, 192.168.x.27.

    Cheers - Bob 

  • In reply to BAlfson:

    Hi, 

    i can not show you tunnel details cause i am not at my office today

    but be sure the status of the tunnel is green and mention SA is etablished

    i dont understand what do you mean by "Obfuscate IPs like 98.x.y37, 172.2x.y.17, 192.168.x.27" ??

    you mean by that to avoid using those IP's, to not use IP's like those (those are public IP's =98.x.y37, 172.2x.y.17, and this is private IP's = 192.168.x.27")

    accord to that i should not use those public IP's to UTM wan interface facing to internet

    and i should not use this private to my LAN or to UTM interface facing to my LAN?

    i can now give you info that my UTM Wan IP start by 41.x.x.x and my LAN is Something like  192.168.x.x/24 and UTM IP interface linked to this LAN is 192.168.x.x 

    and one of Partner with whom i am setting up the S2S is also using IP like this 192.168.y.y/32 and the other use IP's like10.x.x.x

     

    Be sur everything is OK on how i set up the ipsec s2s tunnel, the set the Policy at the first time, and after that the remote Gateway and at the end the connection

    i enable the auto firewall

    waiting for news 

  • In reply to cheikh ka:

    I first learned the word obfusquer when I lived in France.  When I discovered we had obfuscate in English, I started using it here to describe how to hide peoples' exact IPs.  So, instead of showing 98.111.222.37, obfuscate it like 98.x.y.37 - this is clearer than putting something like a.b.c.d or 1.2.3.4.  That way, we know it's a public IP.  Likewise we know that 192.168.x.27 represents a private IP.  Obfuscate in a picture by marking through the octets represented by x and y.

    Looking forward to seeing your pictures.

    Cheers - Bob

  • In reply to BAlfson:

    Hi,

    i well understand it, it's just a way to hide the real IPs

    but i have some news which can maybe help member and Sophos engineers about the site to site from UTM

     

    So, i was experienced some some cases and fall in one which works

    - when i use an IP host (one host IP in my hole network range, we declare as local or remote which is linked to the UTM), i can not ping the remote LAN but the remote site can ping my hosts we put in the tunnel settings , ex : 192.168.X.70/32      or  192.168.X.240/28

     

    - When i use an IP Network (my hole network range, we declare as local or remote which is linked to the UTM), we both can ping each other, things works well, ex: 192.168.X.0/24

    I Don't know why but it's not normal, i repeat the scenario twice. how can you explain that?

    be aware that we both set the same host or range or Network when configuring the tunnel

  • In reply to cheikh ka:

    se

    what i forget to add is

    when i uncheck automatic firewall rule and dont set manuel firewall rule , i get response to pings

    i dont like this scenario because it's hole my network can communicate with the remote site which is only a Partner not a branch office

  • In reply to cheikh ka:

    Please show us pictures of the Edits of the IPsec Connection and Remote Gateway.  Also of the 'Site-to-site VPN Tunnel Status' with all details showing.

    Cheers - Bob