Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 1515 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple site to site vpn tunnels and routing

Jack Burghardt

I have multiple site to site tunnels going to utm firewalls. I wonder how I can create routing to multiple ips over vpn tunnels.  My local branch office has 192.168.10.0/24 for lan and 192.168.20.0/24 for secured wifi . In main office I have multiple networks 172.16.0.0/24 172.21.0.0/24 172.31.0.0/24 172.45.0.0/24 on one end of tunnel. I my branch office I am running utm firewall. There is another vpn tunnel site to site with ip 10.10.30.0/24 10.10.10.0/24 10.10.50.0/24 in main office. We also have multiple vpn to other branches. I am in process of replacing old utm firewall with pair HA xg 18v . How I get routes I dont see any in router table.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jack,

    are we talking aboput IPsec tunnels?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Yes I am using ipsec site to site vpn tunnels I see there is option to use interface vpn tunnels but where do I put local and remote ips ? What Ip i would assign to interface? 

  • 0 in reply to Jack Burghardt

    Hello Jack,

    that is one of the ugly things about IPsec: you have to have a so called "SA" for every single network you want to "see" through an ipsec tunnel. This is not done with normal ip routing.

    So, if you have four networks A,B,C and D local and three networks X, Y, Z remote you have to define 4 x 3 Security Associations (SA):

    SA1:  A to X
    SA2:  A to Y
    SA3:  A to Z

    SA4:  B to X
    SA5:  B to Y
    SA6:  B  to Z


    SA7:  C to X
    SA8:  C to Y
    SA9:  C to Z

    SA10: D to X
    SA11: D to Y
    SA12: D to Z

    You get me?
    This normally leads to concepts like "super-netting" or intermediate gateways to aggregate networks before you route them to the ipsec gateway to reduce the number of SAs.

    But then you would need someone who really knows about IP and routing :-)

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Jack Burghardt

    Hello Jack,

    that is one of the ugly things about IPsec: you have to have a so called "SA" for every single network you want to "see" through an ipsec tunnel. This is not done with normal ip routing.

    So, if you have four networks A,B,C and D local and three networks X, Y, Z remote you have to define 4 x 3 Security Associations (SA):

    SA1:  A to X
    SA2:  A to Y
    SA3:  A to Z

    SA4:  B to X
    SA5:  B to Y
    SA6:  B  to Z


    SA7:  C to X
    SA8:  C to Y
    SA9:  C to Z

    SA10: D to X
    SA11: D to Y
    SA12: D to Z

    You get me?
    This normally leads to concepts like "super-netting" or intermediate gateways to aggregate networks before you route them to the ipsec gateway to reduce the number of SAs.

    But then you would need someone who really knows about IP and routing :-)

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML