This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Relay traffic from branch office site-to-site to remote site through head office

Good Day,

We have four site-to-site VPNs setup and working.

Site A (Head Office)
Site B (Branch Office 1)
Site C (Branch office 2)
Site D (External party (Fortinet) site)

Site A (Head Office) connects to Site D (external party) to allows us to communicate to the Site D (external party) and connect to their server. Note: We have NATed the Site A to Site D site-to-site vpn.

My issue is that users from Site B and C cannot communicate to the external party via the Site-to-Site VPN through Site A to the external party site D. Only way users from Site B and C are able to connect to Site D is with (windows server VPN) to Site A.

How can I allow Site B and C to also communicate with Site D using Site A site-to-site VPN?

This thread was automatically locked due to age.

0 Erick Jan over 1 year ago
Hi Werner,

Thank you for reaching out to Sophos Community.

Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue?

Kindly check the following.

Are Site B & Site C allowed in the VPN Tunnel going to Site D from Site A? vice versa

Are there any overlap networks from Site B & C going to Site D?

Are the Site B & C also being translated since you have a NAT configured

To verify the following, you may do a packet capture to check what is happening with the packet.
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Werner Smit over 1 year ago in reply to Erick Jan
Hi Erick Jan ,

I've tried a few how-to videos and documentation.

Please see below to your questions you've asked:

Erick Jan said:
Are Site B & Site C allowed in the VPN Tunnel going to Site D from Site A? vice versa
Site B & Site C is allowed to connect to Site A and Vice versa. Should I then create a extra VPN tunnel for only Site B & C at Site A to allow traffic to flow to site D or edit the current VPN tunnel to allow traffic from site B & C to go through site A to site D?

Reason for asking this and Hope it makes sense is that we cannot create additional VPN tunnel's to Site D.

Erick Jan said:
Are there any overlap networks from Site B & C going to Site D?

Erick Jan said:
Are the Site B & C also being translated since you have a NAT configured

Only Site A is translated

Erick Jan said:
To verify the following, you may do a packet capture to check what is happening with the packet

I will try that from both Site B and C when trying to connect to Site D through A

0 Erick Jan over 1 year ago in reply to Erick Jan

Hi Werner,

Thank you for the information.

You don't need to create an additional tunnel for this.

Kindly update the Site A and Site D Configuration to allow Site B & C.

You may also refer to the following for reference.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

0 Werner Smit over 1 year ago in reply to Erick Jan

Hi Erick Jan

Please see below config of Site A, B and C:

Site A: 10.0.0.0/16

Site B: 172.16.0.0/16

Site C: 172.17.0.0/16

Site D: 10.83.x.x/32 NATed to site A.

Would it work by updating the site-to-site tunnels on Site A to allow Site D traffic to flow to Site B and C by adding the remote subnet to Site B and C and visa versa. Only want to update Site A to C and not change site D.

0 Erick Jan over 1 year ago in reply to Werner Smit

Hi Werner,

Have you tried the following KB's

Kindly try to configure your VPN tunnel from branches B & C to be translated to the Site A network.

To further assist you with all of your requirements, I would recommend reaching out to your Sales Partner or Sophos Professional Services.