Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSEC site to site VPN, initiator behind router

We are wanting to connect our remote office, which is in a managed/shared office space building, to our head office.
We have no control over the shared office netowrk.

We have a XGS in the managed office space.

The internet connection is supplied by the office space network, so the WAN on the shared office XGS is a local IP provided by the shared office router
Users are able to browse the internet without issue.

I need to get them access to our head office resources.

The head office has a XGS which is directly connected to the internet.

I am not able to get the Site to Site VPN to connect

So our network looks like

Settings at the remote site

Settings at Head Office

Seeking your advice on how to get this to connect



Added TAGs
[edited by: Erick Jan at 4:19 AM (GMT -7) on 17 Oct 2024]
Parents
  • Hi  , 

    * are you able to ping head office wan ip (118.xyz)  from branch office XGS?

    * please check this: since the intervening device is a router, it should be having one subnet towards branch office (initiator) and another subnet towards head office.

    * with this, branch office xgs should have remote gw (in Ipsec config) set to ip address of router interface pointing to branch office

    * I am assuming ip address 150.xxx is on the router interface towards Internet (towards Head office XGS) as I see remote gw on Head office is set to this ip.

    * Try with this 1st option:

    On Head office: remote id type: IP address, Remote id: 150.xxx

    No need to use local id and do not use local/remote id on Branch office.

    2nd option:

    On Branch office : Under Local gateway -->  Select Local ID type: DNS, Local ID: test

    On Head office: Under Remote gateway -->  Select Remote ID type: DNS, Remote ID: test

    Try these things and see if the connection comes up, also check the /log/charon.log on both Branch office and Head office while bringing up tunnel.

    If this is not solving the issue, please share the access id of Branch and Head office to me on sreenivasulu.naidu@shophos.com, will take a look at the setup.

  • Had a personal chat with  , looked at the setup; able to ping from Branch office SFOS to Head office SFOS on wan port (via shared router that does snat),  but from HO, unable to ping Branch office ; most likely - this caused Branch's IPsec initiation packet reaches Head office, but the response packet is not reaching Branch office and hence connection did not come up. Suggested to work on shared router to adjust the reverse path packet forwarding; once HO is able to ping BO on its wan ip,  Ipsec connection should come up.

  • Thanks Sreenivasulu for your input and assistance.

    As I expected I am having issued with getting the shared office IT to setup port forwards and thus at this stage do not have the site to site working.

    I am not really sure why port forwards are required.

    We have this exact scenario setup using Draytek routers at another site.

    Not sure why our Sophos units (which we promote as superior) cant do it.

Reply
  • Thanks Sreenivasulu for your input and assistance.

    As I expected I am having issued with getting the shared office IT to setup port forwards and thus at this stage do not have the site to site working.

    I am not really sure why port forwards are required.

    We have this exact scenario setup using Draytek routers at another site.

    Not sure why our Sophos units (which we promote as superior) cant do it.

Children
No Data