Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 7671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN: Remote computers cannot access computers in the main office

Access Po1nt

Hi,

 

We setup an IPSec Site-to-Site VPN connection between our main office and branch office.

In the main office, we have two ISPs, each with its own router. First router has a local IP of 192.168.0.20 and the second router's (XG 230, actually) local IP is 192.168.0.2.

The branch office's router's (XG 135) local IP is 192.168.2.1. The VPN connects without any problem and computers from the branch office can successfully access computers/servers in the main office. For example, 192.168.2.60 can communicate with 192.168.0.50

Now, here's the problem. If the computer in the main office changes its default gateway to 192.168.0.20, the computers in the branch office will not be able to connect to it.


192.168.2.60 cannot access or even ping 192.168.0.52 and 192.168.0.53

192.168.0.52 and 192.168.0.53 can ping and access 192.168.2.60 due to static route configured on the first router

 

What do I need to do to make the computers in the main office still accessible through VPN even if I change their gateways to 192.168.0.20?

 

 

 

 

Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    afaik, the image in your picture also has a solution:

    On 192.168.0.20, add a route to 192.168.2.0/24 , next-hop 192.168.0.2.
    Do a traceroute from main office to verify if this path is chosen.

    Indeed triangular routing, but it shouldn't affect XG, only the device 192.168.0.20

Reply
  • 0

    afaik, the image in your picture also has a solution:

    On 192.168.0.20, add a route to 192.168.2.0/24 , next-hop 192.168.0.2.
    Do a traceroute from main office to verify if this path is chosen.

    Indeed triangular routing, but it shouldn't affect XG, only the device 192.168.0.20

Children
  • 0 in reply to sixteen again

    HI , 

    It would need more information as per your diagram, indeed it looks like an Asymmetric network, but also would need more information.

    1. There are two gateways for you Home Network , are both devices connected via VPN or Static Route. 

    2. If you have two ISP , you could connect to XG directly and would manage Failover, is there a Reason you have two gateway instead of One. 

    3. Could you check the traffic via Packet Capture and if you find that the remote device is dropped the packets due to Asymmetric routing, you may add the command  advance Bypass option. But this is not applicable for VPN traffic , its commonly used for MPLS traffic . 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Unfiltered HTML