This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v19.5.2 ipsec VPN routing problems

I am having difficulty routing across our vpn's. I need for Host1 and Hostt2 to be able to reach Alert11, Alert12, and Alert13 but currently that isn't happening. I can reach Gateway11, Gateway12 and Gateway13. The network looks like this:

          NetworkA 10.0.13.0/24
          Host1 10.0.13.57
          Host2 10.0.13.159
          |
          | vpn1
          |
MyCore    Network11 192.168.10.0/24
          Gateway11 192.168.10.1
          Alert11 192.168.10.3
          /              \
         / vpn2           \ vpn3
        /                  \
Network12                  Network13
192.168.21.0/24            192.168.23.0/24
Gateway12 192.168.21.1     Gateway13 192.168.23.1
Alert12 192.168.21.3       Alert13 192.168.23.3

On Gateway11 router:

   In the vpn1 configuration the local subnet includes Network11, Network12 and Network13. The remote subnet is NetworkA.

   In the vpn2 configuration the local subnet includes Network11 and NetworkA. The remote subnet is Network12.

   In the vpn3 configuration the local subnet includes Network11 and NetworkA. The remote subnet is Network13.

On Gateway12 router:

   In the vpn2 configuration the local subnet includes Network12. The remote subnet is Network11 and NetworkA.

On Gateway13 router:

   In the vpn3 configuration the local subnet includes Network13. The remote subnet is Network11 and NetworkA.

I don't have any static routes configured. Not really sure how to configure them as Sophos doesn't go for examples anywhere in their documentation, but my experience has typically been that vpn's install their own routes into the routing table.

Another odd problem that occurred while working on this was the host Alert11 could not be found or pinged from the Gateway11 router even though it is on the core network. I could ping the device from other devices on Network11, but not from the Gateway11 and that just made no sense. I never quite found how to list the arp table for an interface in the Sophos before it finally started working about 10 minutes later. Is the arp table not available through the GUI, like the route table isn't?

The next odd problem is my route table contains routes for networks that I can't find the configuration for. What is tun0 and where is it configured?



This thread was automatically locked due to age.
  • Hello there,

    Thank you for contacting the Sophos Community.

    The ARP table can be seen if you go to Configure > Network > Neighbors (ARP-NDP) > Show = IPv4 neighbor cache.

    Tun0 are the "routes" configured from the SSL VPN.

    Where is your Sophos Firewall located in your Network? Are all the devices involved Sophos devices?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Networks 11, 12 and 13 are XG and XGS routers. Network A is with a partner agency and I beleive it is a SonicWall. 

    I was able to get the network traffic flowing. I had to compare and correct the rules in addition to the vpn configuration. Took a while to realize changing the vpn configuration isn't updating the rules the config created.

    I am working on closing out an installation that was dependent on the networking. Next week I will look at the routing table again and see if there are things I still need to clean up.