IPSEC VPN Routing traffic between multiples sites

Hi PP User ,

Thank you for reaching out to the community, please refer the - How to create a hub and spoke IPsec VPN.

Hi,

That was exactly the last document I followed, and still can't ping a remote site from another remote site.

Thanks.

Have you created a plain VPN to VPN rule PP User  ?

Hi,

Yes I did.

Thanks.

PP User ,  add LAN,VPN in both Source and Destination zones of firewall rule, then you will be able to reach LAN host of TELTONIKA from LAN host of XG86 either ways.

Hi,

Added LAN and VPN on both source and destinations zones, and it doesn't work.

Also have reviewed the configuration (Hub and Spoke) and everything seems to be ok.

My firewall rules related to VPN are first on the list.

Rules #6 and #8 where automatically generated and both have source and destination zones ANY, and source and destination networks Local Net (hub) and both remote units. So they are doing the same...

The rule #13, VPN to VPN as been showed before.

I'm at a loss at the moment. Any ideas ?

Thanks,

Alexandre

You need to debug on the packet path and where the packet is dropped or so; please follow this link for some guidance on SFOS. Sophos Firewall: How to Identify the communication issue with up and running IPSec tunnel 

While pinging from the LAN client of XG86 to LAN client of TELTONIKA, do a tcpdump on XG86 for ESP packet or ESPinUDP packet (if your tunnel is NAT'ed); if you see ESP (or ESPinUDP) packet egressing, it means ping packet is going via the tunnel; if you don't see the ESP packet in the reverse path (ping response), then you need to troubleshoot on TELTONIKA. You are using IKEv1 type of IPsec, try this - tcpdump -ni ipsec0 if you don't see packets captured, it means return path is not working.

With this, if you are not able to figure out, you can reach out to me on sreenivasulu.naidu@sophos.com for a live session or provide the access-id (you need to enable it on XG86) to me on the email. 

Hi,

Remote site A network 192.168.37.0/29

192.168.37.1 (TELETONIKA in remote site A)

192.168.37.2 (host in remote site A)

Remote site B network 192.168.37.8/29

192.168.37.9 (TELETONIKA in remote site B)

192.168.37.10 (host behind TELTONIKA in remote site B)

A ping from 192.168.37.2 to 192.168.37.9 or 37.10 results in this captures in XG86.

tcpdump 'proto 50 gives me nothing, but using tcpdump 'host 192.168.37.2 gives me this.

The interface is ipsec0 so I assume in coming in thru VPN IPSEC and arriving at XG86, but there's only IN not OUT, so returning to your previous comment the problem is in TELTONIKA's side ?

But a ping from remote site A or B to a host in the XG86 LAN is successful and seen below.

Thanks.

Hi,

Remote site A network 192.168.37.0/29

192.168.37.1 (TELETONIKA in remote site A)

192.168.37.2 (host in remote site A)

Remote site B network 192.168.37.8/29

192.168.37.9 (TELETONIKA in remote site B)

192.168.37.10 (host behind TELTONIKA in remote site B)

A ping from 192.168.37.2 to 192.168.37.9 or 37.10 results in this captures in XG86.

tcpdump 'proto 50 gives me nothing, but using tcpdump 'host 192.168.37.2 gives me this.

The interface is ipsec0 so I assume in coming in thru VPN IPSEC and arriving at XG86, but there's only IN not OUT, so returning to your previous comment the problem is in TELTONIKA's side ?

But a ping from remote site A or B to a host in the XG86 LAN is successful and seen below.

Thanks.