I am trying to establish a Route based site-to-site IPSec VPN connection between two Sophos XG Firewalls (all fully up to date) - I followed this recipe.
I have two subnets on the 'HeadOffice' Firewall - 192.168.22.0/24 and 192.168.23.0/24 and I have set the firewall's port address to be .1 on each subnet.
192.168.22.0 has a single workstation with a static ip. 192.168.23.0 has many devices. I amended the 'recipe' to include the additional subnet.
I have a dhcp server on the .23 subnet, and I have tried both with and without a dhcp server for the .22 subnet.
The vpn comes up, and both ends indicate that there connectivity between both the .22 and .23 subnets and the 'BranchOffice'.
My problem is this:
From a workstation on the 'BranchOffice' setwork, I can reach all of the devices on the 'HeadOffice' the .23 subnet, and I can access all of the portal functions on the Firewall, but I cannot reach the workstation on the .22 subnet.
The 'BranchOffice' firewall's diagnostics correctly report that it is on xrfrm1, and is behind router 3.3.3.3.
The 'HeadOffice' firewall can ping the workstation, and a traceroute to it from a 'BranchOffice’ workstation gets as far as 3.3.3.3 but cannot get beyond that.
Do I need a seperate VPN for each subnet ? That does not seem to be indicated from the documentation, and at the moment, I just don't understand what is blocking my traffic to one subnet, but not the other. Is there some obvious thing I am missing ?
Edited TAGs
[edited by: Erick Jan at 11:59 PM (GMT -7) on 2 Jun 2024]
