IPSEC VPN Routing traffic between multiples sites

Hi PP User ,

Thank you for reaching out to the community, please refer the - How to create a hub and spoke IPsec VPN.

Hi,

That was exactly the last document I followed, and still can't ping a remote site from another remote site.

Thanks.

Have you created a plain VPN to VPN rule PP User  ?

Hi,

Yes I did.

Thanks.

PP User ,  add LAN,VPN in both Source and Destination zones of firewall rule, then you will be able to reach LAN host of TELTONIKA from LAN host of XG86 either ways.

Hi,

Added LAN and VPN on both source and destinations zones, and it doesn't work.

Also have reviewed the configuration (Hub and Spoke) and everything seems to be ok.

My firewall rules related to VPN are first on the list.

Rules #6 and #8 where automatically generated and both have source and destination zones ANY, and source and destination networks Local Net (hub) and both remote units. So they are doing the same...

The rule #13, VPN to VPN as been showed before.

I'm at a loss at the moment. Any ideas ?

Thanks,

Alexandre

You need to debug on the packet path and where the packet is dropped or so; please follow this link for some guidance on SFOS. Sophos Firewall: How to Identify the communication issue with up and running IPSec tunnel 

While pinging from the LAN client of XG86 to LAN client of TELTONIKA, do a tcpdump on XG86 for ESP packet or ESPinUDP packet (if your tunnel is NAT'ed); if you see ESP (or ESPinUDP) packet egressing, it means ping packet is going via the tunnel; if you don't see the ESP packet in the reverse path (ping response), then you need to troubleshoot on TELTONIKA. You are using IKEv1 type of IPsec, try this - tcpdump -ni ipsec0 if you don't see packets captured, it means return path is not working.

With this, if you are not able to figure out, you can reach out to me on sreenivasulu.naidu@sophos.com for a live session or provide the access-id (you need to enable it on XG86) to me on the email. 

You need to debug on the packet path and where the packet is dropped or so; please follow this link for some guidance on SFOS. Sophos Firewall: How to Identify the communication issue with up and running IPSec tunnel 

While pinging from the LAN client of XG86 to LAN client of TELTONIKA, do a tcpdump on XG86 for ESP packet or ESPinUDP packet (if your tunnel is NAT'ed); if you see ESP (or ESPinUDP) packet egressing, it means ping packet is going via the tunnel; if you don't see the ESP packet in the reverse path (ping response), then you need to troubleshoot on TELTONIKA. You are using IKEv1 type of IPsec, try this - tcpdump -ni ipsec0 if you don't see packets captured, it means return path is not working.

With this, if you are not able to figure out, you can reach out to me on sreenivasulu.naidu@sophos.com for a live session or provide the access-id (you need to enable it on XG86) to me on the email. 

Hi,

Remote site A network 192.168.37.0/29

192.168.37.1 (TELETONIKA in remote site A)

192.168.37.2 (host in remote site A)

Remote site B network 192.168.37.8/29

192.168.37.9 (TELETONIKA in remote site B)

192.168.37.10 (host behind TELTONIKA in remote site B)

A ping from 192.168.37.2 to 192.168.37.9 or 37.10 results in this captures in XG86.

tcpdump 'proto 50 gives me nothing, but using tcpdump 'host 192.168.37.2 gives me this.

The interface is ipsec0 so I assume in coming in thru VPN IPSEC and arriving at XG86, but there's only IN not OUT, so returning to your previous comment the problem is in TELTONIKA's side ?

But a ping from remote site A or B to a host in the XG86 LAN is successful and seen below.

Thanks.

Please get in touch with me, need to have a call to understand your topology and requirement. If not, you may have to raise a support case.

Pinging between hosts of two spoke remote sites without having IPsec tunnel between them and via hub site (SFOS) does not work straight away as Ipsec is point to point; there could be work arounds to achieve this by having NAT configs on SFOS and via using some CLIs.

Other option is to use route based IPsec and BGP to achieve this if the other vendor supports.

You may try below and let me know if this works for you:

example:

On BO1 (TELTONIKA), IPsec tunnel should have

- local subnet = A (its own local subnet)

- remote subnet = B (local subnet of XG) and C (local subnet of BO2)

On BO2

- local subnet = C

- remote subnet = A, B

On HO, tunnel towards BO1

- local subnet = B,C

- remote subnet = A

On HO, tunnel towards BO2

- local subnet = A,B

- remote subnet = C

Then you should be able to ping host of subnet C (BO2) from host of subnet A (BO1)

Hi,

I've tried that also.

On the TELTONIKA side BO1 or BO2 if I do this the router cannot establish 2 SA, only the BO1 to HO is established and the BO1 to BO2 SA can't be created, and in the HO/XG the connection stays in yellow state.

So after reading on the TELTONIKA side on BO1 and BO2 I've created 2 tunnels one from BO1 to HO and another from BO1 to BO2.This is the only way to establish 2SA, and on the HO side I can see both connections and all green.

Same as for BO2.

So I believe that the current configuration matches the one you have illustrated.

Thanks,

Alexandre

I've sent you a PM message to try to schedule a call, but have not received a response.

Thanks,

Alexandre

I have responded, you need to accept or turn on permissions so that my message will reach you..

Hello PP User ,

Upon checking your account's settings, you will see that it is only accepting DMs from "Friends only." Kindly change the setting to "Everyone" so that Sreenivasulu or others who are not on your Friends list can send you a DM. Otherwise, you may need to add them to your friends list, and they must accept the request or vice versa before an exchange of messages can be successful. 

Regards,

Hello,

Sorry for that. I've changed setting to allow receiving messages from everyone.

Thanks,

Alexandre

Hello,

Sorry. I've changed settings to allow receiving messages.

Thanks,

Alexandre

Had quite a lengthy call with PP User , it turns out to be the bridge on LAN side of Tektonika router (on both BO1 and BO2) causing some inconsistent behaviour/issue. In all the debugging, BO1's connected client pinging BO2's connected client, the ESPinUDP packets seen egressing on SFOS towards  BO2. BO2 (BO1) has a bridge on its LAN side, seeing icmp echo packet but not forwarded towards the client of BO1. Similarly when BO2's client pinging BO1's client.

Both BO1 and BO2 uses /29 subnets on its LAN; Later tried changing the subnet on BO1 to /24 and seen client of BO1 could ping BO2's client successfully, but client of BO2 could not ping BO1's client, again something skeptical in the bridged of BO1.

Tried rebooting both BO1 and BO2, then ping from client of BO1 to client of BO2 is not placed into the tunnel by BO1.

Suggested below tcpdumps to look at on BO1 and BO2 (Tektonika routers - both are very primitive routers withe basic implementation if IKE1 IPsec) to figure out what the issue could be while pinging from BO1 client to BO2 client or vice-versa; also suggested to use /24 subnet on bridge (LAN side) of BO1 and BO2

tcpdump -ni wwan0 udp port 4500 or icmp | grep <client ip of BO1 or BO2>

tcpdump -ni br-lan | grep <client ip of BO1 or BO2>

Although SFOS has no issue in receiving ESPinUDP packets from BO1, decrypted packets seen on ipsec0 and sends out ESPinUDP packets to BO2.. below commands on SOFS gives out packet details:

SFOS side tcpdump:

tcpdump -n port 4500 or host <client ip of BO1 or BO2>

tcpdump -ni ipsec0  host <client ip of BO1 or BO2> and icmp