Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 1008 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN traffic question, two different WAN connections

Kosta88

Hello,

I will try to explain this as simple as possible:

I have two sites, Site1 (home) and Site2 (company). Both have Sophos UTM and they connect via Site-2-Site tunnel.

Site1 has only one WAN connection, Site2 two has two WAN connections, let's call them WAN1 and WAN2.

Site-2-Site tunnel is built between Site1 WAN and Site2 WAN2.

So, now it get's tricky:

At Site2, since we have two WAN connections, we run some services via WAN1 and some over WAN2.

From home, I connect to a specific address that's usually running off on WAN2 at Site2 (work) - better said, the multipath is set to WAN2 by default, if there are no other multipath rules. But if I create a multipath rule telling it to connect via WAN1, then at work, it's still possible to connect to that address, but at home (via Site-2-Site tunnel) not. If I turn off the Multipath rule, I can connect to that address from home.

And to make things even more complicated, there is a NAT rule and additional address on the Site2 (work) Sophos, which translates the IP of the device attempting to connect to the address from my home address to the address of the company network.

Can you follow up? It seems like I'm missing some kind of path? Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Kosta,

    Does Auto-Failover IPsec VPN Connections answer your question?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    I don't think so.

    For one, I don't want to fail over to the secondary WAN on Site2. The tunnel should be only over single link.

    Let me try to explain with IPs:

    Site1 (site-to-site tunnel): 192.168.1.0/24, GW .254, Wan1: 1.1.1.1

    Site2 (site-to-site tunnel): 172.16.1.0/24, GW .254, Wan1 (DSL): 2.2.2.2, Wan2 (LTE): 3.3.3.3

    Site3 (remote network on the internet): 8.8.8.8 (IPsec endpoint at Site3, connecting to even further networks)

    Site-to-site tunnel is built over 1.1.1.1 and 3.3.3.3.

    2.2.2.2 should not be used for any kind of tunnel. However, Wan1@Site2 (2.2.2.2) is being used to connect to 8.8.8.8 from Site2.

    Site1 should also be able to connect to 8.8.8.8, although over Site2 network - remote server, 8.8.8.8, should see an IP from Site2, even if I connect to 8.8.8.8 from Site1. But, I don't want to do full tunnel, only split.

    Maybe important to note, it's only some specific devices that do that, not the whole network.

    So, at home I have one of these devices (IP 192.168.1.95) trying to connect to site.google.com (another IPsec tunnel).

    What I did was added site.google.com on both sides of site-to-site tunnel.

    I also created an additional address (172.16.1.26) at Site2, and two NAT rules, DNAT and SNAT to respectively translate traffic accordingly.

    On Site1, I created two policy routes telling it, if it wants to connect to 8.8.8.8, it should go over 172.16.1.254.

    So, if I understand it correctly, the path should be following:

    192.168.1.95 tries to connect to 8.8.8.8, policy route says go over 172.16.1.254. Site2 receives the packet, translates it from 192.168.1.95 to 172.16.1.26, and sends it according to the multipath rule over 2.2.2.2. The packet returns, source being an additional address, DNAT translates the packet back to 192.168.1.95, and returns it to Site1.

    That's the theory at least. Very convoluted. And it's working, as long as I don't turn on Multipath Rule at Site2 to re-route traffic to 8.8.8.8 from the default 3.3.3.3 to go over 2.2.2.2.

    Multipath rules (Site2) are actually simple:

    Position1: Any - Any - 8.8.8.8 - WAN1 (this is the one I turn on or off)

    Position2 (lower): Any - Any - Any - WAN2

    The first thing I am trying to achieve is: ping 8.8.8.8 at Site1 should receive a reply. Currently it does not.

  • 0 in reply to Kosta88

    I don't "see" this.  A picture of a hand-drawn diagram with IPs would help.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Kosta88

    I don't "see" this.  A picture of a hand-drawn diagram with IPs would help.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML