This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Site-to-site routing with multiple subnets not working

I have a UTM version 9.705-3 with two subnets, LAN 192.168.100.0/24 on eth0 and WIFI 192.168.200.0/24 on eth2 that are connecting via IPSEC site-to-site VPN to a FortiGate appliance with hundreds of subnets. so I've configured the remote network on the UTM as 10.0.0.0/8.

Here's a text network map

LAN (eth0) 192.168.100.0/24                                                                            10.1.0.0/16

                                                      UTM  <->   IPSEC VPN  <->   FortiGate      10.2.0.0/16

WIFI (eth2) 192.168.200.0/24                                                                            ...

                                                                                                                           10.201.0.0/24

Everything works normally from the LAN network on the UTM. But the WIFI network on the UTM cannot communicate over the VPN. I have both local subnets in the VPN SA. When I ping any host on the remote network from the WIFI network I can see the ping go out and the reply come back in using tcpdump on the UTM console but the reply comes in on the LAN interface eth0 and not the WIFI interface eth2. The packet is never routed to the WIFI network and the host where I started the ping gets a connection timeout. What am I doing wrong?

Here's my IPSEC VPN status

And my settings



This thread was automatically locked due to age.
  • I am surprised by ".. but the reply comes in on the LAN interface eth0 ..."

    is there a second possible way between the local and remote networks?

    (a second S2S VPN or a transfer-network between local and remote network that allow routing private IP's)

    Possible to show the captured packets? You may PM me, and we arrange a secure exchange.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Is there any static route configured on your firewall for the wireless network? 

    Thanks,

  • There is no other route possible.

    Here's the tcpdump output. Didn't save the capture to a file.

    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:08:31.221888 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 0, length 64
    11:08:32.224030 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 1, length 64
    11:08:33.226214 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 2, length 64
    11:08:34.228334 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 3, length 64
    11:08:35.231058 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 4, length 64
    11:08:36.233313 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 5, length 64
    11:08:37.236734 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 6, length 64
    11:08:38.237620 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 7, length 64

    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:08:31.244239 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 0, length 64
    11:08:32.253594 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 1, length 64
    11:08:33.250192 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 2, length 64
    11:08:34.255316 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 3, length 64
    11:08:35.261695 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 4, length 64
    11:08:36.256700 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 5, length 64
    11:08:37.266504 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 6, length 64
    11:08:38.266111 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 7, length 64

  • There is no static route but a route is added (highlighted) when the VPN is connected.

    Here's the route table.

    default via XX.XX.28.1 dev eth1  table 200  proto kernel onlink
    local default dev lo  table 252  scope host
    default via XX.XX.28.1 dev eth1  table default  proto kernel  metric 20 onlink
    10.0.0.0/8 dev eth1  proto ipsec  scope link  src 192.168.100.1
    10.242.2.0/24 dev tun0  proto kernel  scope link  src 10.242.2.1
    XX.XX.28.0/22 dev eth1  proto kernel  scope link  src XX.XX.28.81
    127.0.0.0/8 dev lo  scope link
    192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.1
    192.168.200.0/24 dev eth2  proto kernel  scope link  src 192.168.200.1
    broadcast 10.242.2.0 dev tun0  table local  proto kernel  scope link  src 10.242.2.1
    local 10.242.2.1 dev tun0  table local  proto kernel  scope host  src 10.242.2.1
    broadcast 10.242.2.255 dev tun0  table local  proto kernel  scope link  src 10.242.2.1
    broadcast XX.XX.28.0 dev eth1  table local  proto kernel  scope link  src XX.XX.28.81
    local XX.XX.28.81 dev eth1  table local  proto kernel  scope host  src XX.XX.28.81
    broadcast XX.XX.31.255 dev eth1  table local  proto kernel  scope link  src XX.XX.28.81
    broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    broadcast 192.168.100.0 dev eth0  table local  proto kernel  scope link  src 192.168.100.1
    local 192.168.100.1 dev eth0  table local  proto kernel  scope host  src 192.168.100.1
    broadcast 192.168.100.255 dev eth0  table local  proto kernel  scope link  src 192.168.100.1
    broadcast 192.168.200.0 dev eth2  table local  proto kernel  scope link  src 192.168.200.1
    local 192.168.200.1 dev eth2  table local  proto kernel  scope host  src 192.168.200.1
    broadcast 192.168.200.255 dev eth2  table local  proto kernel  scope link  src 192.168.200.1
    unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
    local default dev lo  table 252  metric 1024

  • Just a quick thought: isn't local 10.242.2.0 /24 contained in 10.0.0.0 /8 ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, it does. That address is from the SSL remote access tunnel. I've renumbered that network but it doesn't fix my problem.

  • Hello Ed,

    Can you show us the defintion of your WiFi and the ethernet interfaces eth0 and eth2, resp. "LAN" and "WiFi", please?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Ed,

    can you get rid of that IPv6 defintions in your setup?

    Maybe things clear up a little bit, then.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.