IPSEC VPN Routing traffic between multiples sites

Question

Hi, 
 
 We need to establish a multiple site to site IPSEC VPN with a XG86w as the HQ. 
 Both remote sites have a TELTONIKA RUT240 router. 
 I am able to ping from HQ both remote sites, and from each remote site the HQ, but can&rsquo;t ping a remote site from another remote site. 
 
 In the XG86w I have in the local subnet of each tunnel the local HQ network and the local network of the other remote site.

On the TELTONIKA RUT240 side, running ipsec status we can see that both are installed. 
 
 I'm clearly missing something. 
 Any help would be appreciated. 
 
 Alexandre

Sreenivasulu Naidu · Accepted Answer

Had quite a lengthy call with PP User , it turns out to be the bridge on LAN side of Tektonika router (on both BO1 and BO2) causing some inconsistent behaviour/issue. In all the debugging, BO1's connected client pinging BO2's connected client, the ESPinUDP packets seen egressing on SFOS towards BO2. BO2 (BO1) has a bridge on its LAN side, seeing icmp echo packet but not forwarded towards the client of BO1. Similarly when BO2's client pinging BO1's client. Both BO1 and BO2 uses /29 subnets on its LAN; Later tried changing the subnet on BO1 to /24 and seen client of BO1 could ping BO2's client successfully, but client of BO2 could not ping BO1's client, again something skeptical in the bridged of BO1. Tried rebooting both BO1 and BO2, then ping from client of BO1 to client of BO2 is not placed into the tunnel by BO1. Suggested below tcpdumps to look at on BO1 and BO2 (Tektonika routers - both are very primitive routers withe basic implementation if IKE1 IPsec) to figure out what the issue could be while pinging from BO1 client to BO2 client or vice-versa; also suggested to use /24 subnet on bridge (LAN side) of BO1 and BO2 tcpdump -ni wwan0 udp port 4500 or icmp | grep tcpdump -ni br-lan | grep Although SFOS has no issue in receiving ESPinUDP packets from BO1, decrypted packets seen on ipsec0 and sends out ESPinUDP packets to BO2.. below commands on SOFS gives out packet details: SFOS side tcpdump: tcpdump -n port 4500 or host tcpdump -ni ipsec0 host and icmp

Sreenivasulu Naidu · Answer

You may try below and let me know if this works for you:

example: 
 On BO1 ( TELTONIKA ), IPsec tunnel should have 
 - local subnet = A (its own local subnet) 
 - remote subnet = B (local subnet of XG) and C (local subnet of BO2) 
 
 On BO2 
 - local subnet = C 
 - remote subnet = A, B 
 
 On HO, tunnel towards BO1 
 - local subnet = B,C 
 - remote subnet = A 
 
 On HO, tunnel towards BO2 
 - local subnet = A,B 
 - remote subnet = C

Then you should be able to ping host of subnet C (BO2) from host of subnet A (BO1)

Sreenivasulu Naidu · Answer

PP User , add LAN,VPN in both Source and Destination zones of firewall rule, then you will be able to reach LAN host of TELTONIKA from LAN host of XG86 either ways.

Sreenivasulu Naidu · Answer

You need to debug on the packet path and where the packet is dropped or so; please follow this link for some guidance on SFOS. Sophos Firewall: How to Identify the communication issue with up and running IPSec tunnel 
 
 While pinging from the LAN client of XG86 to LAN client of TELTONIKA, do a tcpdump on XG86 for ESP packet or ESPinUDP packet (if your tunnel is NAT'ed); if you see ESP (or ESPinUDP) packet egressing, it means ping packet is going via the tunnel; if you don't see the ESP packet in the reverse path (ping response), then you need to troubleshoot on TELTONIKA. You are using IKEv1 type of IPsec, try this - tcpdump -ni ipsec0 if you don't see packets captured, it means return path is not working. 
 
 With this, if you are not able to figure out, you can reach out to me on sreenivasulu.naidu@sophos.com for a live session or provide the access-id (you need to enable it on XG86) to me on the email.

Vivek Jagad · Answer

Hi PP User , Thank you for reaching out to the community, please refer the - How to create a hub and spoke IPsec VPN .

IPSEC VPN Routing traffic between multiples sites

Top Replies