Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 2273 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Tunnel cannot connect to 2 Remote Networks at once

Craig Reitano

I have a Site to Site VPN IPsec tunnel established in Sophos UTM9.

I need to add two remote networks and be able to telnet to both networks.

When I add the addresses in individually I am able to telnet to each address HOWEVER when I add both remote networks in I am only able to telnet to the last entry that I added in and no longer able to telnet to the first entry that was in.

When I add "ANY" to remote networks I can telnet to both networks however the internet connection drops..

Network one is 172.31.0.0/16 and network two is 10.0.0.0/16 I know they both work individually..  but as soon as both are added into Remote Networks only the last one added in will work they both won't work concurrently

Any suggestions?



This thread was automatically locked due to age.
  • 0

    Further to this we are getting un-replied packets from the network on the VPN that gets added in to remote networks second, but it is fine again once we remove the other network vise-versa, PLEASE HELP this has got me puzzled... spent hours on it to no avail....

  • 0

    Hi Craig and welcome to the UTM Community!

    How about a picture of the 'Site-to-site VPN Tunnel Status' with the entry opened when you have both subnets in 'Remote Networks'?

    Also, let's look at the IPsec log:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    2021:03:23-17:09:46 yagsg135 pluto[10691]: added connection description "S_REF_IpsSitGpox2_0"
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: initiating Main Mode
    2021:03:23-17:09:46 yagsg135 pluto[10691]: added connection description "S_REF_IpsSitGpox2_1"
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: received Vendor ID payload [XAUTH]
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: received Vendor ID payload [Dead Peer Detection]
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: received Vendor ID payload [RFC 3947]
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: enabling possible NAT-traversal with method 3
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: NAT-Traversal: Result using RFC 3947: peer is NATed
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: Peer ID is ID_IPV4_ADDR: '52.65.171.231'
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: Dead Peer Detection (RFC 3706) enabled
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2825: ISAKMP SA established
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_1" #2826: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2825}
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2827: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2825}
    2021:03:23-17:09:46 yagsg135 pluto[10691]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitGpox2" address="194.223.xxx.xx" local_net="192.168.1.0/24" remote_net="172.31.0.0/16"
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_1" #2826: sent QI2, IPsec SA established {ESP=>0xce751aff <0xafe60675 NATOA=0.0.0.0 DPD}
    2021:03:23-17:09:46 yagsg135 pluto[10691]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitGpox2" address="194.223.xxx.xx" local_net="192.168.1.0/24" remote_net="10.0.0.0/16"
    2021:03:23-17:09:46 yagsg135 pluto[10691]: "S_REF_IpsSitGpox2_0" #2827: sent QI2, IPsec SA established {ESP=>0xc2273342 <0x7bdfa645 NATOA=0.0.0.0 DPD}
    2021:03:23-17:10:13 yagsg135 pluto[10691]: forgetting secrets
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loading secrets from "/etc/ipsec.secrets"
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loaded PSK secret for 194.223.xxx.xx 52.65.171.231
    2021:03:23-17:10:13 yagsg135 pluto[10691]: listening for IKE messages
    2021:03:23-17:10:13 yagsg135 pluto[10691]: forgetting secrets
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loading secrets from "/etc/ipsec.secrets"
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loaded PSK secret for 194.223.xxx.xx 52.65.171.231
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2021:03:23-17:10:13 yagsg135 pluto[10691]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2021:03:23-17:10:13 yagsg135 pluto[10691]: Changing to directory '/etc/ipsec.d/crls'

    Here is a screen shot of site to site tunnel both up.... however now only able to Telnet to the last one I added in...  for example I can telnet 172.31.0.0 then 10.0.0.0 cannot be connected via telnet.

    As soon as I remove 172.31.0.0 from remote networks I can telnet to 10.0.0.0 again 

  • 0 in reply to Craig Reitano

    That all looks good.  If you have 'Bind to interface' selected in the IPsec Connection and you don't have manual static routes configured, try unbinding  an toggle the WAN interfaces off/on.  Any luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No static routes are configured, Bind to interface has not been enabled on this one, no luck after toggling WAN interfaces on and off UTM has been rebooted as well.

    Out of ideas here... 

  • 0 in reply to BAlfson

    I am trying to telnet to the IP addresses of devices on ports for example

    10.0.30.xx 80

    and 172.31.31.xx 1433

    When I add them in as individual (single) entries in remote networks I can telnet successfully to both of above.

    It's when the multiple entries in it causes an issue and stops initial (first) remote network that was added in from connecting..

    As mentioned if i set remote networks to "ANY" i can successfully telnet to both addresses but then the issue is internet connection goes down so not a solution....

  • 0 in reply to Craig Reitano

    Your config looks good to me, Craig.  Hopefully, you've already opened a support case with Sophos.  Please let us know what they find.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML