This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing-Problem with Redundant Site2Site IPSec VPN

Hi Guys,

have some Routing-Issues, maybe someone can enlight me...

I've configured my N:N Tunnel between "UTM A" and "UTM B" like described here: community.sophos.com/.../118975
Communication between the networks is fine so far. Multipath-Rules work flawless

In the HeadOffice, I have "UTM A", IP 10.10.10.1. There is also a Mail-Server (10.10.10.10) and a SNMP-Logserver (10.10.10.15).

In the BranchOffice, I have "UTM B", IP 10.20.20.1. This UTM should send Mail-Notifications like Hotspot Password of the Day and other stuff via the VPN-Tunnel to the Mail-Server in the HeadOffice. SNMP-Traps should be send as well over the VPN-Tunnel to the SNMP-Logserver in the HeadOffice.

Befor I changed the VPN-Tunnel-Setup to N:N like described in the KB-Articel, it worked without any Issues.

I can connect to the SNMP- or Mail-Server from any Host within the BranchOffice-Network as well, except for "UTM B" itself.

Because there is no Route in the Routing Table for the respective Networks (Because the necessary option "Bind tunnelto local interface", the UTM's probably don't know / use the Multipath-Rules described in the KB-Articel.

When I traceroute or try to ping for example the SNMP-Logserver from "UTM B", the Packet is send through the WAN-Interface, and not through the VPN-Tunnel.

Is there any way to let "UTM B" know, how to find the HeadOffice-Network? I tried, various routes and stuff, but I'm not getting anywhere.

 

Thanks in advance!

 

Regards,

Thorsten



This thread was automatically locked due to age.
  • Thorsten, I'm unfamiliar with the term "N:N Tunnel" - what is that?

    I didn't see that the option 'Bind tunnel to interface' was selected in the IPsec Connection, so I don't think Static Routes or Multipathing can work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    sry, I meant "N:N internet connection" in regard of the Knowledgebase Articel I postet above.

    On the End of this articel, there is a setup where you need to enable the option "Bind tunnel to local interface", as the second tunnel doesn't come up.

    Because of that, no Routes are added to the Routing Table after the Tunnels got up... And so, the UTM itself does not know where to send packets to, for the respective network.

  • I'm still not "seeing" this, Thorsten.  Maybe some pictures of what you're seeing?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I just snipped it from the KB-Article

  • Thorsten, that article was written by a smart, talented engineer, but, like most technical writing, it's only easy to follow by the person that wrote it.  Try this article in German that does a much better job: Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for your link. But this Tutorial is more or less the same... No, it's actually the same, but in german and with different Screenshots.

    You have to activate the Option “Bind Tunnel to local Interface” there as well, resulting, that the UTM does not add routing informations for the tunnels. This behaviour is also described in this tutorial.

    Just to mention it again:

    The tunnel itself between the networks works flawless! I haven't had such a fast failover with other setups. Each Client in those Networks can communicate to the other Clients / Servers in the other network.

    It is just, that the firewall can not communicate with anything in the remote network anymore after I changed it this way as no route is set locally and the UTM itself seems not to use the Multipathing rules.

     

    Regards,

    Thorsten

  • Maybe I'm confused about what you mean when you stay that "the firewall can not communicate with anything in the remote network."

    There might be a bug/opportunity for improvement.  I recently tried to use Gateway Routes for two different clients.  It seems that only Interface Routes work with bind tunnel to Interface.  Perhaps the same bug is affecting Multipathing.  Can you make this work with Interface Routes?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I try to explain in more detail.

    I have Network A (10.10.10.0/24) behind UTM A (10.10.10.1). In Network A, there is a SNMP-LogServer (10.10.10.50). The UTM A forwards Mails send to the local interface (10.10.10.1) on a Special Port via DNAT-Rule to a Mailserver in a DMZ. Those Mails are send through VPN-Tunnels by Remote-UTM's (Notifications, Password of the Day, ...)

    With a normal VPN-Tunnel (one Uplink on both sides, no failover), this works flawless. For Example: In Network B (10.10.20.0/24) there is UTM B (10.10.20.1). UTM B sends Mails to UTM A (10.10.10.1) and sends SNMP Traps to the SNMP-LogServer (10.10.10.50). The Route in the Routing Table is set. Clients in Network B can communicate with Servers in Network A and vice versa. Everything perfect.

    With an redundant Tunnel (two Uplinks, configured like in those HowTo's), I have Issues. In Detail: In Network C (10.10.30.0/24) there is UTM C (10.10.30.1). UTM C tries to send Mails to UTM A (10.10.10.1) but fails. UTM C also tries to send SNMP-Traps to the LogServer (10.10.10.50) but fails. There is no Route in the Routing Table, but via Multipath-Rule, Clients in Network C can communicate with Servers in Network A and vice versa. Just the UTM's can't communicate with the respective remote Network.

    I tried Interface-Rules, but to which Interface should I bind the Network? Same link in the Multipath-Rules? Or the local Interface like in the Routing Tables?

     

    I tried everything, Routing-Table-Entries looks like the following:

    Normal Route, added by "normal" IPsec-Tunnel, no redundancy (UTM A to UTM B)
    10.10.10.0/24 dev eth1  proto ipsec  scope link  src 10.10.20.1

    Interface-Route: (WAN with Public IP - Tunnel bound to this Interface)
    10.10.10.0/24 dev eth3  proto static  scope link  metric 5

    Interface-Route: (LAN Internal 10.10.30.1)
    10.10.10.0/24 dev eth0  proto static  scope link  metric 5

    Gateway-Route:
    10.10.10.0/24 via 10.10.30.1 dev eth0  proto static  metric 5

    No Success in either configuration, except for the first one (included as reference).

    Do you have any other Ideas?

    Thanks in advance!


    Thorsten

  • This must be because there's an incorrect Multipath rule or a missing rule for the subnet.  Please show pictures of the Edits of the relevant Multipath rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA