This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Konfiguration Backup over IPSEC Tunnel

Hello,

 

we have a configuration with a SG125 on site 1 and another SG125 on site 2. The SG125 firewalls are connected with an IPSEC Tunnel.

On site a, we have an on premise exchange server, no problem for the first firewall to send his weekly configuration backup.

On site b, the SG125 is also configured to send emails with the configuration backup, but the host cannot reach the exchange server.

 

In the admin notification log, I see, that the connection to the exchangeserver times out.

On both sides, I created firewall rules to allow the traffic. (vlans 1 and 2 on site a have full acces of vlan 3 and 4 on site b, and vice versa)

 

What I also tested:

I use the diagnostic tools and pinged the server from different interfaces:

site a, 2 VLANs, the ping from vlan1 (from where the exchange server is reachable) fails (destination unreachable), only from the vlan2, where the exchange server is included, I can ping the server.

site b, VLANs 3 and 4, ping is also failing (destination unreachable). Out of both networks, i can reach the exchange server (from a client for example). If i use the closest route option, I get 100% package loss and no messages about the failed pings.

I have the feeling, the firewall does not know which route to take to get to the server.

 

Is there a trick, if you want to send emails to a local server over IPSEC?

 

Thanks in advance for your help



This thread was automatically locked due to age.
  • See how you address the Exchange Server. If you use the external name the UTM could use the internet gateway. But I think you need to use a private IP to connect to the Exchange Server to get to the correct connector.

    So no trick needed, just be aware of DNS and multiple routes to exchange.

    Best

    Alex

    -

  • Hallo Max and welcome to the UTM Community!

    As Alex says, you're right to suspect that the problem is routing and the solution is to send the traffic through the tunnel to the internal IP of the Exchange server.  If your topology is such that you can't cause internal DNS to do that, you could configure the smart host capability in 'Management >> Notifications'.

    Not that pining is configured on the 'ICMP' tab of 'Firewall'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA