Site-to-Site VPNs and VLANS

Hi,

We've run a flat lan for years at our main location.

We've recently updated our network and added a few new VLANS to the mix.

Now I have a problem. We have several Site-to-Site VPNs up and running that work great with our original VLAN1.

However, when I try to add our new VLAN subnets into the VPN configuration, the tunnels go down and will not come back up.

I've added the new VLAN Subnets to the Rules and policies already.

Can't figure out what I'm missing.

Edited TAGs
[edited by: emmosophos at 7:57 AM (GMT -7) on 8 Aug 2024]

Top Replies

LuCar Toni 1 month ago in reply to Randy Cleveland +1

You only adding networks to the local subnet (on both sites)? Can you share a screenshot of your changes? Because if you have a mismatch between only subnets, your tunnel should be yellow.

Parents

0 LuCar Toni 1 month ago

Are you using route based VPN or policy based VPN? What do you mean by "down"?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 1 month ago in reply to LuCar Toni

They are IPSEC site-to-site VPNs. The connection goes down and says it can't connect. I've made sure that it's re-activated on both ends, but the remote office won't connect.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 month ago in reply to Randy Cleveland

You only adding networks to the local subnet (on both sites)?

Can you share a screenshot of your changes?

Because if you have a mismatch between only subnets, your tunnel should be yellow.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 1 month ago in reply to LuCar Toni

I changed the remote office the same way, except the other direction. At that point the Site to Site for that location goes down and won't come back up.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Bharat J 1 month ago in reply to Randy Cleveland

Please confirm weather you have ipsec vpn between sophos to sophos firewall or other party firewall ?

Make sure you have access to both the firewalls

Make sure you add local and remote id at both the end this can be verified with logs.

Check logs as per the below link might help

https://support.sophos.com/support/s/article/KB-000038566?language=en_US

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 1 month ago in reply to Bharat J

No 3rd Party firewalls are involved. Only Sophos firewalls.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 1 month ago in reply to Bharat J

I'm editing both firewalls, so why would I not have access to them?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Bharat J 1 month ago in reply to Randy Cleveland

If you have both the access you have to add local id remote id and vlan subnet on ipsec tunnel as well as you have to add on firewall rules to have communication

In your case first you add local and remote id and new vlan on local and remote subnet on both the firewall to make it work

exmaple

At HO

local subnet Remote subnet

Headoffice LAN Branch office LAN

new VLAN subnet

At BO

local subnet Remote subnet

Branch office LAN Head office LAN

New VLAN subnet

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel

Reply

+1 Bharat J 1 month ago in reply to Randy Cleveland

If you have both the access you have to add local id remote id and vlan subnet on ipsec tunnel as well as you have to add on firewall rules to have communication

In your case first you add local and remote id and new vlan on local and remote subnet on both the firewall to make it work

exmaple

At HO

local subnet Remote subnet

Headoffice LAN Branch office LAN

new VLAN subnet

At BO

local subnet Remote subnet

Branch office LAN Head office LAN

New VLAN subnet

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel

Children

0 Randy Cleveland 1 month ago in reply to Bharat J

That's exactly what I'm doing, and the tunnel goes down and will not re-connect.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 apijnappels 1 month ago in reply to Randy Cleveland

Check the vpn-log on both firewalls. It's likely that some useful information is logged in one or even both firewalls logs.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 1 month ago in reply to Bharat J

I tried it again, and now the VPN comes up fine with the new subnet added.

Not sure why it would not work before.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Bharat J 1 month ago in reply to Randy Cleveland

As per the first screenshot new vlan was not added maybe without re establishing ipsec vpn tunnel back.

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Randy Cleveland 1 month ago in reply to Bharat J

Nope, I did it exactly as before (just like your example) and it worked this time.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel