Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 1761 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN CIDR routing problem

IT Admin31

I am migrating from EoL Juniper devices to UTM. I am currently replacing a key device "CAR" which is a partial hub for a number of sites. It also links to the wider organisation via OMI. The sites and routes are:

CAR 10.86.128.0/19 which connects to all of:
MOS 10.86.0.0/19
FLO 10.86.64.0/19
LOG 10.89.0.0/16
OVH 10.10.196.0/22
OMI 10.0.0.0/8

So far I can get all of the IPsec SAs to work, but as soon as I enable the link to OMI all other VPN routing stops. I'm suspecting that the VPN routes are not using the CIDR subnets in the correct order of preference. This seems odd. Is this a known issue?



This thread was automatically locked due to age.
Parents
  • 0

    You're creating routing conflicts with the OMI subnet.  It's hard to give precise advice without being inside the UTM, but the way forward lies along the path of binding each IPsec Connection to the interface upon which it is defined.  That prevents WebAdmin from building default routes, so you can make Static Routes with the Metric for OMI having lower priority.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your suggestion.

    After a long time working through different levels of support with Sophos (with lots of head scratching on both sides along the way) I finally got the answer that it is not possible to do classless VPN due to the "overlap" in the network definitions. It seems that UTM uses policy-based VPN only and for it to work with CIDR it would need to use route-based VPN, which it doesn't.

    The workaround options are:

    1. Deploy a Sophos RED at the international datacentre to give my UTM an interface on their network
    2. Deploy a different solution to create the IPSEC VPN to the international datacentre and use a static route on my UTM to direct traffic to that different solution.

    Not a pretty outcome, but hopefully this will save someone else the hours that I've spent on this.

    Colin

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your suggestion.

    After a long time working through different levels of support with Sophos (with lots of head scratching on both sides along the way) I finally got the answer that it is not possible to do classless VPN due to the "overlap" in the network definitions. It seems that UTM uses policy-based VPN only and for it to work with CIDR it would need to use route-based VPN, which it doesn't.

    The workaround options are:

    1. Deploy a Sophos RED at the international datacentre to give my UTM an interface on their network
    2. Deploy a different solution to create the IPSEC VPN to the international datacentre and use a static route on my UTM to direct traffic to that different solution.

    Not a pretty outcome, but hopefully this will save someone else the hours that I've spent on this.

    Colin

Children
No Data
Unfiltered HTML