This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Site-to-site routing with multiple subnets not working

I have a UTM version 9.705-3 with two subnets, LAN 192.168.100.0/24 on eth0 and WIFI 192.168.200.0/24 on eth2 that are connecting via IPSEC site-to-site VPN to a FortiGate appliance with hundreds of subnets. so I've configured the remote network on the UTM as 10.0.0.0/8.

Here's a text network map

LAN (eth0) 192.168.100.0/24                                                                            10.1.0.0/16

                                                      UTM  <->   IPSEC VPN  <->   FortiGate      10.2.0.0/16

WIFI (eth2) 192.168.200.0/24                                                                            ...

                                                                                                                           10.201.0.0/24

Everything works normally from the LAN network on the UTM. But the WIFI network on the UTM cannot communicate over the VPN. I have both local subnets in the VPN SA. When I ping any host on the remote network from the WIFI network I can see the ping go out and the reply come back in using tcpdump on the UTM console but the reply comes in on the LAN interface eth0 and not the WIFI interface eth2. The packet is never routed to the WIFI network and the host where I started the ping gets a connection timeout. What am I doing wrong?

Here's my IPSEC VPN status

And my settings



This thread was automatically locked due to age.
Parents
  • I am surprised by ".. but the reply comes in on the LAN interface eth0 ..."

    is there a second possible way between the local and remote networks?

    (a second S2S VPN or a transfer-network between local and remote network that allow routing private IP's)

    Possible to show the captured packets? You may PM me, and we arrange a secure exchange.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • I am surprised by ".. but the reply comes in on the LAN interface eth0 ..."

    is there a second possible way between the local and remote networks?

    (a second S2S VPN or a transfer-network between local and remote network that allow routing private IP's)

    Possible to show the captured packets? You may PM me, and we arrange a secure exchange.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • There is no other route possible.

    Here's the tcpdump output. Didn't save the capture to a file.

    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:08:31.221888 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 0, length 64
    11:08:32.224030 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 1, length 64
    11:08:33.226214 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 2, length 64
    11:08:34.228334 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 3, length 64
    11:08:35.231058 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 4, length 64
    11:08:36.233313 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 5, length 64
    11:08:37.236734 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 6, length 64
    11:08:38.237620 IP 192.168.200.116 > 10.16.0.1: ICMP echo request, id 61954, seq 7, length 64

    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:08:31.244239 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 0, length 64
    11:08:32.253594 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 1, length 64
    11:08:33.250192 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 2, length 64
    11:08:34.255316 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 3, length 64
    11:08:35.261695 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 4, length 64
    11:08:36.256700 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 5, length 64
    11:08:37.266504 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 6, length 64
    11:08:38.266111 IP 10.16.0.1 > 192.168.200.116: ICMP echo reply, id 61954, seq 7, length 64