Thread Info
Options

IPSEC Vpn with multiple subnets

LA17

Hi All

Just reaching out as I've got a strange one that support has it as low priority so seeing if anyone's delt with it before.

I have a bunch of IPSEC VPN tunnels to Tetonka modems that work great, however from the Sophos I wish to add a second subnet to talk to the remote device.

When I add it and match the configs on both devices only one tunnel connects.

The VPN builds for the first subnet matched but not the second in the list 

The logs show 

Just observed these on our logs:

2025-02-14 01:48:20Z 24[CFG] <Teltonika_Test-1|1046260>  config: 192.168.5.0/24, received: 192.168.5.0/24 => match: 192.168.5.0/24
2025-02-14 01:48:20Z 24[CFG] <Teltonika_Test-1|1046260>  config: 192.168.5.0/24, received: 192.168.7.30/32 => no match

which suggests the Sophos is just ignoring the second subnet?

I've also tried doing the second subnet as a /24 to no avail.



Added TAGs
[edited by: Erick Jan at 3:42 AM (GMT -8) on 19 Feb 2025]
  • 0

    Hi LA17,

    Thank you for reaching out to Sophos Community.

    Can you try to check the following KB

    And recheck the configuration, as the logs indicate a "No Match" 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

    • 0 in reply to Erick Jan

      Hi, thanks for the reply

      Not sure that hub and spoke is what I'm after as it's just a site to site with 2 subnets at the remote end Sophos local end.

      192.168.5.0 and 192.168.7.0 are VLANS on the Sophos side.

    • 0

      Hi,

      I don't think SFOS has any issue in building multiple child SAs under one IKE; please check if Teltonika supports multiple subnets in its IPsec config; if not supported, even though config is allowed, it may not be able to build child SA for the 2nd subnet, you will have to create two tunnels, each tunnel having a single subnet. I recall we had seen such issue in the past with Teltonika

      • 0 in reply to Sreenivasulu Naidu

        Thanks, I have confirmed the RUTX09 supports multiple Child SA's. the logs look to be that the Teltonika is sending the second SA subnet through and the Sophos is just ignoring the match and only looking atr the first listed subnet in its local list.

        • 0 in reply to LA17

          Below are the logs in a working setup (SFOS<responder>-----<initiator>SFOS), used the same subnets.

          SF01V_SO01_SFOS 21.0.1 MR-1-Build242# grep "config:" /log/charon.log


          2025-02-20 09:13:08Z 14[CFG] <12> found matching ike config: 40.1.1.1...40.1.1.2 with prio 3100
          2025-02-20 09:13:08Z 12[CFG] <T1-1|12> config: 192.168.5.0/24, received: 192.168.5.0/24 => match: 192.168.5.0/24
          2025-02-20 09:13:08Z 12[CFG] <T1-1|12> config: 10.125.1.0/24, received: 10.125.1.0/24 => match: 10.125.1.0/24
          2025-02-20 09:13:08Z 23[CFG] <T1-1|12> config: 192.168.7.30/32, received: 192.168.7.30/32 => match: 192.168.7.30/32
          2025-02-20 09:13:08Z 23[CFG] <T1-1|12> config: 10.125.1.0/24, received: 10.125.1.0/24 => match: 10.125.1.0/24

          1st line refer to local subnet1 - 192.168.5.0/24

          2nd line refer to remote subnet - 10.125.1.0/24

          3rd line refer to local subnet2 - 192.168.7.30/32

          4th line refer to remote subnet - 10.125.1.0/24

          The logs that you have posted: 

          2025-02-14 01:48:20Z 24[CFG] <Teltonika_Test-1|1046260>  config: 192.168.5.0/24, received: 192.168.5.0/24 => match: 192.168.5.0/24
          2025-02-14 01:48:20Z 24[CFG] <Teltonika_Test-1|1046260>  config: 192.168.5.0/24, received: 192.168.7.30/32 => no match

          In the 2nd line, why is SFOS receiving 192.168.7.30/32 unless Teltonica sending this? 

          Pls double check the configs on Teltonica and the multiple subnets support, if the issue is not resolved, please work with the support of Teltonica.

          • 0 in reply to Sreenivasulu Naidu

            Hi
            I'm not sure I understand, Yes the teltonika IS Sending the second subnet as per below.

            These are the logs from the sophos

            1st line refers to the local subnet1 - 192.168.5.0/24

            2nd line refers to the local subnet 2 - 192.168.7.30/32

            3rd line refers to the remote subnet - 10.125.1.0/24

            2025-02-20 21:58:34Z 20[CFG] <Teltonika_Test-1|1069326> config: 192.168.5.0/24, received: 192.168.5.0/24 => match: 192.168.5.0/24
            2025-02-20 21:58:34Z 20[CFG] <Teltonika_Test-1|1069326> config: 192.168.5.0/24, received: 192.168.7.30/32 => no match
            2025-02-20 21:58:34Z 20[CFG] <Teltonika_Test-1|1069326> config: 10.125.1.0/24, received: 10.125.1.0/24 => match: 10.125.1.0/24

            Unless I'm reading the logs wrong the Sophos end is only presenting the local subnet 1 both times?

            Thanks

            • +1 in reply to LA17

              Hello,

              If 192.168.730/32 is not part of the remote subnet (teltonika) then it shouldn't be sending this to Sophos.

              I believe you are using IKEv2, if that is the case, make sure "Compatibility mode" is enable.

              If I am not mistaken, in IKEv1, Teltonika only allows one single subnet under one IKEv1 tunnel. 

              Regards,

               
              Emmanuel (EmmoSophos)
              Technical Team Lead, Global Community Support
              Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
              If a post solves your question use the 'Verify Answer' link.
              • 0 in reply to emmosophos

                Thanks Emmanuel

                The links are now up! 

                In the teltonika under the IPSEC advanced connection settings enabling "Compatibility Mode" sorted the issue.

                Thank you all for your help troubleshooting.

                Regards

            Unfiltered HTML