Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN allows traffic to one subnet, but not another.

I am trying to establish a Route based site-to-site IPSec VPN connection between two Sophos XG Firewalls (all fully up to date) - I followed this recipe.

I have two subnets on the 'HeadOffice' Firewall - 192.168.22.0/24 and 192.168.23.0/24 and I have set the firewall's port address to be .1 on each subnet.

192.168.22.0 has a single workstation with a static ip.  192.168.23.0 has many devices.   I amended the 'recipe' to include the additional subnet. 

I have a dhcp server on the .23 subnet, and I have tried both with and without a dhcp server for the .22 subnet.

The vpn comes up, and both ends indicate that there connectivity between both the .22 and .23 subnets and the 'BranchOffice'.

My problem is this: 

From a workstation on the 'BranchOffice' setwork, I can reach all of the devices on the 'HeadOffice' the .23 subnet, and I can access all of the portal functions on the Firewall, but I cannot reach the workstation on the .22 subnet.  

The 'BranchOffice' firewall's diagnostics correctly report that it is on xrfrm1, and is behind router 3.3.3.3.

The 'HeadOffice' firewall can ping the workstation, and a traceroute to it from a 'BranchOffice’ workstation gets as far as 3.3.3.3 but cannot get beyond that.

Do I need a seperate VPN for each subnet ?  That does not seem to be indicated from the documentation, and at the moment, I just don't understand what is blocking my traffic to one subnet, but not the other.  Is there some obvious thing I am missing ? 

 

 



This thread was automatically locked due to age.
Parents
  • Hi ml17

    Please check and verify traffic flow under MONITOR & ANALYZE || Diagnostics || Packet Capture passing from the same firewall rules and drop packet 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I tried the following from a Windows pc on the 'Branch' network: 

    tracert 192.168.23.2

    followed by 

    tracert 192.168.22.2

    The first resulted in traffic both ways, the second resulted in the same kind of traffic coming in to the 'HeadOffce' but nothing going back out. 

    Almost as if 192.168.22.2 was down, however pinging it from the console on the 'HeadOffice' firewall works fine, so clearly it is up.  

  • Hello,

    Please disable the Local Firewall of the device you are trying to ping.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I am pretty sure it is disabled as it was working fine on the same NIC with a different VPN setup a week ago,admittedly that was on a different subnet, but it is a faily newly built machine and I don't recall ever setting a rule to allow the old subnet. 

    Also, I am not sure why it would reposnd to pings from the firewall itself but not from another device ?

    Unfortunately, I can't check now, as it is 100 Miles away from where I am for the time being! 

    Having said all of that, it does kind of look like it might be the local firewall.  I will check it when I am next at the site.

  • There was indeed a firewall running, and once I disabled it I regained connectivity.

Reply Children