Question on how Sophos handles CIDR ranges for Remote Networks

Question

Hi there, 
 
 We have a S2S VPN with a client, with a single remote network defined as 10.x.x.x/16 
 On occasion, the I can see in the IPSEC logs that the client is trying to establish the connection from 10.x.x.x/17 
 
 Sophos UTM 9 will not establish in this instance as there is no remote network defined as 10.x.x.x/17 
 
 The client is insisting that Sophos SHOULD accept the /17 as technically, it should be covered by the /16 
 
 Is there a setting somewhere that will allow this, or is there a reason why UTM 9 is so exacting about the CIDR range? 
 
 Thanks in advance 
 Steve

BAlfson · Accepted Answer

Haigh Steve and welcome to the UTM Community! 
 So, the client is trying to establish a connection where he has his local network as a /17, but you have him in 'Remote Networks' as a /16? That won't work. 
 The client has to decide what subnet he's using and configure his IPsec connection for that. If he wants to be able to come from anywhere in the /16, then that's what he'll need to use. 
 Cheers - Bob

dirkkotte · Answer

Both sides must offer a network and expect a network. These configurations MUST match the definition from the "other side"...

Question on how Sophos handles CIDR ranges for Remote Networks

Top Replies