Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 3322 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Site-to-site routing with multiple subnets not working

Ed Radza

I have a UTM version 9.705-3 with two subnets, LAN 192.168.100.0/24 on eth0 and WIFI 192.168.200.0/24 on eth2 that are connecting via IPSEC site-to-site VPN to a FortiGate appliance with hundreds of subnets. so I've configured the remote network on the UTM as 10.0.0.0/8.

Here's a text network map

LAN (eth0) 192.168.100.0/24                                                                            10.1.0.0/16

                                                      UTM  <->   IPSEC VPN  <->   FortiGate      10.2.0.0/16

WIFI (eth2) 192.168.200.0/24                                                                            ...

                                                                                                                           10.201.0.0/24

Everything works normally from the LAN network on the UTM. But the WIFI network on the UTM cannot communicate over the VPN. I have both local subnets in the VPN SA. When I ping any host on the remote network from the WIFI network I can see the ping go out and the reply come back in using tcpdump on the UTM console but the reply comes in on the LAN interface eth0 and not the WIFI interface eth2. The packet is never routed to the WIFI network and the host where I started the ping gets a connection timeout. What am I doing wrong?

Here's my IPSEC VPN status

And my settings



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Is there any static route configured on your firewall for the wireless network? 

    Thanks,

  • 0 in reply to FormerMember

    There is no static route but a route is added (highlighted) when the VPN is connected.

    Here's the route table.

    default via XX.XX.28.1 dev eth1  table 200  proto kernel onlink
    local default dev lo  table 252  scope host
    default via XX.XX.28.1 dev eth1  table default  proto kernel  metric 20 onlink
    10.0.0.0/8 dev eth1  proto ipsec  scope link  src 192.168.100.1
    10.242.2.0/24 dev tun0  proto kernel  scope link  src 10.242.2.1
    XX.XX.28.0/22 dev eth1  proto kernel  scope link  src XX.XX.28.81
    127.0.0.0/8 dev lo  scope link
    192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.1
    192.168.200.0/24 dev eth2  proto kernel  scope link  src 192.168.200.1
    broadcast 10.242.2.0 dev tun0  table local  proto kernel  scope link  src 10.242.2.1
    local 10.242.2.1 dev tun0  table local  proto kernel  scope host  src 10.242.2.1
    broadcast 10.242.2.255 dev tun0  table local  proto kernel  scope link  src 10.242.2.1
    broadcast XX.XX.28.0 dev eth1  table local  proto kernel  scope link  src XX.XX.28.81
    local XX.XX.28.81 dev eth1  table local  proto kernel  scope host  src XX.XX.28.81
    broadcast XX.XX.31.255 dev eth1  table local  proto kernel  scope link  src XX.XX.28.81
    broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    broadcast 192.168.100.0 dev eth0  table local  proto kernel  scope link  src 192.168.100.1
    local 192.168.100.1 dev eth0  table local  proto kernel  scope host  src 192.168.100.1
    broadcast 192.168.100.255 dev eth0  table local  proto kernel  scope link  src 192.168.100.1
    broadcast 192.168.200.0 dev eth2  table local  proto kernel  scope link  src 192.168.200.1
    local 192.168.200.1 dev eth2  table local  proto kernel  scope host  src 192.168.200.1
    broadcast 192.168.200.255 dev eth2  table local  proto kernel  scope link  src 192.168.200.1
    unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
    local default dev lo  table 252  metric 1024

  • 0 in reply to Ed Radza

    Just a quick thought: isn't local 10.242.2.0 /24 contained in 10.0.0.0 /8 ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
Unfiltered HTML