I was wondering if anyone can help me. I am trying to setup an IPsec Site-to-Site VPN between 2 SG105 UTM's. Both the local and the remote networks are the same subnet. Unfortunately it would be very difficult to change either side to a different network. I followed this guide, https://support.sophos.com/support/s/article/KB-000034290?language=en_US But as of yet I am unsuccessful. I was wondering if anything sticks out to anyone as something this guide failed to mention? The tunnel is configured properly and comes up no problem, but traffic will not pass between the two networks.
UTM1 network - 192.168.0.0/22UTM1 "fake" NATed Network - 172.21.0.0/22Outgoing Rule - 1:1 NAT Map Source, Local Network > Any > Remote NATed Lan = Source translation: Local NATed LanIncoming Rule - 1:1 NAT Map Destination, Remote NATed Lan > Any > Local NATed Lan = Destination translation: Local Network
UTM2 network - 192.168.0.0/22UTM2 "fake" NATed Network - 172.22.0.0/22Outgoing Rule - 1:1 NAT Map Source, Local Network > Any > Remote NATed Lan = Source translation: Local NATed LanIncoming Rule - 1:1 NAT Map Destination, Remote NATed Lan > Any > Local NATed Lan = Destination translation: Local NetworkI used all the automatic firewall rules as well.
I used the /22 network as my fake NATed lan because it would not let me create 1:1 Nat between networks of different sizes. Let me know if anyone has an idea where I should start looking.
Hi Matt and welcome to the UTM Community!
Does More VPN between same subnets help?
If not, please show pictures of the Edits of the IPsec Connection and Remote Gateway for both sides. Also, confirm that DPD and NAT-T are selected on the 'Advanced' tab and that your NAT rules have 'Automatic firewall rule' selected in both UTMs.
Cheers - Bob
Thanks for the reply Bob,
Below are the settings for both the remote and local IPsec connections. DPD and Nat-t are both enabled on each side. Auto firewall rule box is checked on both the IPsec settings and the NAT settings.
One thing I forgot to mention in the original post is that the two sites are currently connected via a 56k two-wire circuit through the telephone company. The hardware on this connection is two 16 year old Cisco 1700 series routers. This connection is up and operating but it has become very unreliable as of late, so the time to replace it has come. This is a 24/7 control center operating an asset about 50 miles away, so I cant just shut the old off and keep it off until I get the new connection talking. In order to test it I start a continual ping from the local site to the remote site and then do a reload command on the Cisco. I know this could be the root of my problem but I don't know what settings I need to look at in this situation. Back 20 years ago when I took Cisco class this was called Spanning tree protocol? Anyway I thought this was NOT a small detail to leave out haha.
Local Side IPsec settingsLocal Side IPsec Remote GatewayRemote Side IPsec SettingsRemote Side IPsec Remote Gateway
That looks perfect to me, Matt. How about a picture of the 'Site-to-site VPN Tunnel Status' from both sides as in my picture below.
What "traffic" won't pass? Is there anything in either firewall log? What about Intrusion Prevention and Application Control?
Intrusion Protection is off on both sides. I don't have web protection enabled on either side, not even licensed for it. Below are the pics of the Tunnel status. So when I am trying to test this link I take the old Cisco 56k connection down by rebooting the local router. During the 5 minutes or so that it takes to reboot I check connection with ping, VNC to remote machine, also the control software that the operators use. Nothing will talk to the remote side. Is the Sophos seeing this link and so it is not routing anything over the VPN? I was wondering about maybe hitting reboot on that router then maybe somehow clearing the route cache on both UTM's, see if it then picks that route up. I have a few old machines I may download the UTM iso and set up a small lab. I have also attached a network diagram to give you a better idea the situation but idk if the resolution is going to work.
Local tunnel status
Remote tunnel status
Looks good, Matt, so it's gotta be in the routing. What are the relevant entries on the 'Routes Table' tab in 'Support >> Advanced'?
Still, you should check the Intrusion Prevention log as disabling IPS does not disable 'UDP Flood Protection' - see #1 in Rulz (last updated 2021-02-16).
The only LAN relevant entries on either side are:
192.168.0.0/22 dev eth0 proto kernel scope link src 192.168.0.190 broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.190
Is there a good way to clear this route cache? If so I could remove the link that I want to replace, clear the caches on both sides, then have it learn the new route.
I'd think the safest way would be to reboot the UTMs, Matt. If that doesn't resolve this, I'd be tempted to get Sophos Support involved to get fresh eyes on the devices.
You will want to link them to your thread here so they can see that a lot has been checked.