Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 248 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing for VPN-in-VPN?

J Bonte

Hello!

I'm looking for help configuring the routing for a "VPN-in-VPN" configuration. I searched the forums but didn't find a solution matching my setup.
But then I'm not a Sophos expert so maybe it's just a small bit that I'm missing...

Long text I'm afraid.

My setup consists of 2 UTM 9 firewalls, one in the local data center (10.246.181.0/24)
and and the other one a small mobile SG105w connecting some remote devices (in a 192.168.20.64/27 network).

This remote UTM box travels to e.g. an exhibition and initiates the "outer" Sophos VPN, a site-to-site SSL VPN back to our data center.
Setup of VPN and routing was straightforward and works fine.

One of the devices operating remotely (192.168.20.65, the "TI-Konnektor") is itself opening a VPN tunnel to a 3rd-party network (10.30.0.0/15). I have no control over this TI-VPN. This "inner" VPN is using our data center's internet link (not the internet on the remote site) and is also operating well for the remote "TI-Konnektor". When plugging my laptop into the 192.168.20.64/27 switch on the remote site I can telnet into a server in the 10.30.0.0/15 target network.

Now one of the servers in the local data center (10.246.181.189) needs to use this remote "inner" VPN to reach the 10.30.0.0 target network.
I've added a route locally on the Windows box (route add -p 10.30.0.0 mask 255.254.0.0 10.246.181.200) and gateway routes on both UTMS, always using the next device as the gateway. Server -> local UTM -> remote UTM -> TI-Konnektor.

Packets were initially dropped on the data center UTM so I created the 10.30.0.0 network "object" (named "TI Offene") and add this to the SSL VPN.

I now see packets being allowed to pass through the auto-generated rules both on the local data center UTM and also on the remote UTM.
Still, a telnet from the datacenter server (10.246.181.189) to e.g. 10.30.7.190 isn't connecting.

I'm failing to cobble these 2 VPNs together and configure a route that first goes "leftwards" from data center to the remote site (through the "outer" Sophos VPN), then enters the "inner" TI-VPN on 192.168.20.65 to go back "rightwards", tunneling through our data center to e.g. this single SMTP server 10.30.7.190...

I tried to visualize this setup in attached PDF.

/cfs-file/__key/communityserver-discussions-components-files/51/Routing-for-TI_2D00_VPN.pdf

Any ideas? Need more information?
Any help greatly appreciated...

Regards
JB



This thread was automatically locked due to age.
Unfiltered HTML