Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 9495 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOLVED: routing problems - vpn connections

GKR

Hi, this is my network diagram:



1) I am sitting on the left in the Fortigate Branch office at 10.0.0.0/16 and have a working vpn tunnel to the HQ to 192.168.1.0/24
2) SOPHOS UTM HQ has a working VPN tunnel to Firewall Branch office 192.168.10.0/24

I have two problems:

A) subnet 10.0.0.0/16 can not reach subnet 192.168.10.0/24
I have added a static route to 192.168.10.0/24 to the "fortinet branch device", to be sure that all traffic to this network is routed trough that tunnel.
So why is the Sophos UTM not forwarding any traffic to 192.168.10.0/24, this is a directly connected route. So it should be automatically forwarded. 
A traffic rule policy is active to allow traffic fom ANY to 192.168.10.0/24

B) routing all traffic through the tunnel using the Sophos UTM as a final GW to the public internet is not working.
I would like to route all traffic from Fortigate Branch through the VPN tunnel using the Sophos UTM as a gateway to the public internet then.
Traffic enters and leaves the tunnel, but the Sophos UTM doesn't forward anything out through the WAN interface then.
the host 192.168.0.100 has perfect access to the public internet though, I have masquerading active.

Every help is very appreciated.



This thread was automatically locked due to age.
Parents
  • +1

    a)

    do you include the network behind the Sophos within tunnel-definition?

    1st Tunnel Branch left <--> sophos:

    10.0.0.0/16 <--> 192.168.0.0/24 + 192.168.10.0/24

    2. Tunnel sophos <--> branch top

    10.0.0.0/16 + 192.168.0.0724 <--> 192.168.0.0

    b)

    if (a) works ... you see you have to define the reacheble networks within tunnel-definiton. So the central Sophos should provide "any" network.

     

    I use this too ... it really works.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk,

    >do you include the network behind the Sophos within tunnel-definition?

    I am not sure what you mean. Can you please elaborate on this?
    Thank you very much.

    The central Sophos UTM unit has two active tunnels: to 10.0.0.0/16 and 192.168.10.0/24. Both are up and traffic is flowing in both directions.

    The problem is there is no traffic flow from tunnel 1 <-> tunnel 2, or from tunnel 1or2 to the internet.

    Do I have to add manually static routes?
    Isn't the central UTM supposed to route this traffic automatically, as the subnets are all directly connected?

    This is the routing table on the UTM:

    default via 178.63.62.1 dev eth0  table 220  proto kernel onlink 
default via 178.63.62.1 dev eth3  table 221  proto kernel onlink 
default  table default  proto kernel  metric 20 
	nexthop via 178.63.62.1  dev eth0 weight 1 onlink
	nexthop via 178.63.62.1  dev eth3 weight 1 onlink
    
10.0.0.0/16 dev eth0  proto ipsec  scope link  src 192.168.0.1 
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1 
192.168.10.0/24 dev eth0  proto ipsec  scope link  src 192.168.0.1 

    178.63.62.0/26 dev eth0  proto kernel  scope link  src 178.63.62.12 
178.63.62.0/26 dev eth3  proto kernel  scope link  src 178.63.62.13 

     
Reply
  • 0 in reply to dirkkotte

    Hi Dirk,

    >do you include the network behind the Sophos within tunnel-definition?

    I am not sure what you mean. Can you please elaborate on this?
    Thank you very much.

    The central Sophos UTM unit has two active tunnels: to 10.0.0.0/16 and 192.168.10.0/24. Both are up and traffic is flowing in both directions.

    The problem is there is no traffic flow from tunnel 1 <-> tunnel 2, or from tunnel 1or2 to the internet.

    Do I have to add manually static routes?
    Isn't the central UTM supposed to route this traffic automatically, as the subnets are all directly connected?

    This is the routing table on the UTM:

    default via 178.63.62.1 dev eth0  table 220  proto kernel onlink 
default via 178.63.62.1 dev eth3  table 221  proto kernel onlink 
default  table default  proto kernel  metric 20 
	nexthop via 178.63.62.1  dev eth0 weight 1 onlink
	nexthop via 178.63.62.1  dev eth3 weight 1 onlink
    
10.0.0.0/16 dev eth0  proto ipsec  scope link  src 192.168.0.1 
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1 
192.168.10.0/24 dev eth0  proto ipsec  scope link  src 192.168.0.1 

    178.63.62.0/26 dev eth0  proto kernel  scope link  src 178.63.62.12 
178.63.62.0/26 dev eth3  proto kernel  scope link  src 178.63.62.13 

     
Children
  • 0 in reply to GKR

    with IPSec you have to define all traffic allowed to pass a tunnel (mostly).

    So within definition of Tunnel1 the reachable networks must contain network behind tunnel2 too in addition to central network.

    Check routing table at the branch ... there you should see central and next branch reachable over IPSec

    Something like this:

    10.0.0.0/16 dev eth1  proto kernel  ... 
192.168.0.0/24 dev eth0  proto ipsec  ... 
192.168.10.0/24 dev eth0  proto ipsec  ...

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thank you Dirk. This definitely solved my problem.

    I had to add the additional subnet I wanted to reach in the tunnel.

  • 0 in reply to GKR

    Dirk gave you the solution, but I thought I'd add a little background...

    In order for you to be able to use manual routes instead of the ones created automatically by WebAdmin when an IPsec tunnel is defined, the IPsec Connection must be bound to an interface.  You must then create all necessary routes manually.  An example is Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  You might also be interested in Hub and Spoke Site-to-Site VPNs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML