PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
I am having an issue connecting (even pinging) remote hosts on the other side of a site-to-site IPsec VPN tunnel. I can't seem to troubleshoot it, even though everything was working fine a month ago.
Here's the setup: <192.168.1.0/24> - <UTM A> ===tunnel===<UTM B>-<192.168.30.0/24>
Both Sophos UTMs are completely up to date. Using pre-shared key. UTM A is imitating. The tunnel looks fine (establishes fine, says its up under/green site-to-site), and I can access the webadmin for both UTM A and B from 192.168.1.0 (so some stuff is going through the tunnel just fine).
I can ping 192.168.30.1 (the UTM) from 192.168.1.0/24, but any other host is "destination unreachable". Tracert to 192.168.30.1 is fine, but tracert to 192.168.30.14 fails (and I know the host is up).
I thought the IPsec settings took care of all the routing, so I don't have any static routes or masquerading or NAT set up...it should just work, no? It did previously!
Anyone know how to troubleshoot? How would I check the routing tables in UTM B? Why are packets getting lost on their from, say, 192.168.1.10 to 192.168.30.14?
Additional info that I think my be helpful:
1) I checked the Rulz - think I am good. Tried turning off IPS just in case, didn't seem to do anything.
2) I had "create automatic firewall rules" checked on both sides, and confirmed in webadmin that "any" rules should allow traffic for anything through the tunnel.
3) Any other ideas?
In reply to garpace:
Problem solved! Just so happens all the hosts I "knew" were up were on a dead switch at the remote site.