Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4103 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP Over IPSec with Multiple Subnets

W Boyles

Hi,

I've been having this problem for a while now and have worked with Sophos Support who didn't have an answer for me.  We have our internal network which is 192.168.14.0/23 giving us 192.168.14.0 for the Workstations and 192.168.15.0 for servers / infrastructure.  This works find inside the network no problems at all.

We have our VPN setup to lease IPs from the internal DHCP server and authenticate via RADIUS.  This is also working fine, the client connects and they're given an IP address on the 192.168.14.0 subnet as it should be.

The issue we're running into is when you setup the L2TP connection in Windows and it connects, looking at the routes it sets the subnet mask to 255.255.255.0 which essentially locks us into the 192.168.14.0/24 subnet and we can't access the 192.168.15.0 subnet.

Oddly enough when I do a route print (screenshot attached) it shows the gateway as 10.242.1.1 which is the Sophos L2TP Pool object.  This may be normal.

To clarify we CAN ping devices on the 192.168.14.0 subnet - we just need to be able to get to the other subnet so users can connect to things like RDS or operational servers.  Am I missing something obvious?

Any help or advice would be appreciated, hopefully its just something stupid I'm missing / doing :) 



This thread was automatically locked due to age.
  • 0

    I meant to add that if I manually add the following route:

    route add 192.168.14.0 MASK 255.255.254.0 10.242.1.1 IF 27

    Then everything works perfectly.  I know I can write a script to add this route when the VPN connects but I'd rather not go down that path as we have users setting this up themselves and I dont want to make things any more complex than it needs to be.

  • 0

    I'm a little confused.  10.242.1.0/24 is the default subnet in the "VPN Pool (PPTP)" object.

    There are a lot of things we don't know about your setup.

    1. Do your users have 'Use default gateway on remote network' selected in the Windows L2TP client?
    2. Does your Windows DHCP server correctly assign a subnet mask of 255.255.254.0?
    3. Do you have the Windows firewalls deactivated on your internal devices since they are protected by the UTM's firewall?  I'm mostly thinking here of the servers in 192.168.15.0/24.
    4. Is there a reason you need to have IPs assigned in 192.168.14.0/24 - a reason to not use the default 10.242.2.0/24 and avoid the internal DHCP server?

    The last question arises from the fact that different UTM versions of L2TP/IPsec have had similar routing problems over the years.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML