Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 7820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Tunnel Multi site to site

Shane Penprase

HI

We are trying to setup VPN tunnels from 9 Branches to Head Office XG Firewall.

First Tunnel setup no problem, second tunnel does not allow to use the same local subnet on xg firewall.

Basically all 9 Branches are setup with individual /24 networks and we want them to access HO local range which is also a /24 network.

 

Thanks

Shane



This thread was automatically locked due to age.
  • 0

    Hi,

    I'll ask the obvious question - do all the branch offices and H/O have the same local network range - e.g. 10.10.10.0/24?

    Shaun

  • 0

    Hi, Shane, and welcome to the UTM Community!

    In fact, you will want to post your question in the XG section as this has only a few people that also work on XG.

    That said, if you have the same subnet at each site, the first project should be changing subnetting so that there are no overlaps.  With the size of your organization, I would recommend using /24 subnets in 172.16.0.0/12.  Avoid using 192.168.0.0/16 subnets, reserving them for homes and public hotspots.  There's no point in using 10.0.0.0/8 subnets as those are more appropriate for large corporations and ISPs.

    IPv6 will solve these problems, but not tomorrow.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Every site will need a different subnet. If you stand back and think about it, if a host was on 10.10.10.50 at one site, how would the UTM know how to route it if it's confronted with multiple 10.10.10.0/24's. There would be all sorts of conflicts going on.

    You've got a golden opportunity to keep it really tidy here with a subnetting numbering convention and do make sure you allow for expansion ie further sites coming online as well as possible vlans on the remote sites etc

Unfiltered HTML