Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 10636 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site ipsec gives INVALID_ID_Information

Krrish Raj

I have two Sophos UTM in two different networks. Both UTMs are sitting between external and internal subnet. I want both UTMs to be able to initiate connection. 

For gateway setting gateway type for both is set to initiate connection and gateway is public ip of other UTM. Remote networks contains local ip of a host in another network, right now I want to tunnel to one host only.

In ipsec connection interface is set to external and local network is  a local host who will be allowed to be a part of this tunnel.  But connection is not initializing.

 

I have similar local ip configuration at both places.

172.16.0.0/24  public subnet

172.16.1.0/24 private subnet

172.16.2.0/24 Application subnet

 

Right now I have only one instance running in both application subnet, both having IP 172.16,.3.5

So I in gateway setting I have setup remote host- 172.16.3.5

Also in ipsec connection setting local network is set to 172.16.3.5

 

What is going wrong in setting up the connection ?

 

When I go to site to site it shows me-

 

SA: 172.16.3.5/32=172.16.1.5    54.206.44.20=172.16.3.5/32
VPN ID: 172.16.0.5
Error: No connection
 
SA: 172.16.3.5/32=172.16.1.5    52.220.147.113=172.16.3.5/32
VPN ID: 172.16.0.5
Error: No connection


This thread was automatically locked due to age.
Parents
  • 0

    Hi Raj and welcome to the UTM Community!

    I see two problems immediately:

    1. The VPN cannot be defined with the same subnet on both ends.
    2. The unit with "External (Address)" of 172.16.1.5 is behind a NAT and that disrupts the connection.

    If you need help fixing these things, insert pictures of the 'Advanced' tab and of the Edits the IPsec Connection and Remote Gateway from both sides.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

     

    Thanks for the response. That issue is solved. But now I am stuck with load balancing. Our application servers will be connected via IPSec. I was wondering is there any internal support for that in Sophos. Basically I want all traffic coming from the other side to go to load balancer, traffic going out from our network should work normally. I tried putting load balancer in VPN. But the problem I am facing is that AWS internal load balancer's private ip keeps changing. So other side has to use dmain name to hit my application which will not get resolved. 

    Another option that I am thinking is putting all application servers into VPN, but to define DNAT rule to change the destination to load balancer's name. If everything works fine then my outbound traffic will work fine but incoming traffic will go through load balancer. Is this possible ?  I am wondering what will happen to replies that will be coming from external network for the request's made by internal applications. Will it also go through DNAT rule ? Or DNAT rule does not apply to response packets ? Also at what point these rules are applied, between capturing of packet by interface and routing it again ?

    These things may be obvious but I don't have much knowledge of networking.

     

    Thanks

  • 0 in reply to Krrish Raj

    I suspect you will need the help of a local networking consultant.  One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to their question without starting a new thread that's already been answered.  Please ask your second question in a new thread in the VPN forum.  A simple diagram in your new thread would help others understand what you need to accomplish.

    Cheers - Bob
    PS Moving this thread to the VPN forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Krrish Raj

    I suspect you will need the help of a local networking consultant.  One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to their question without starting a new thread that's already been answered.  Please ask your second question in a new thread in the VPN forum.  A simple diagram in your new thread would help others understand what you need to accomplish.

    Cheers - Bob
    PS Moving this thread to the VPN forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML