This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site-to-Site VPN, SG105 UTM's running 9.705-3, Same LAN, Tunnel up, Traffic will not pass

Hello Everyone,

I was wondering if anyone can help me. I am trying to setup an IPsec Site-to-Site VPN between 2 SG105 UTM's.  Both the local and the remote networks are the same subnet.  Unfortunately it would be very difficult to change either side to a different network.  I followed this guide, https://support.sophos.com/support/s/article/KB-000034290?language=en_US But as of yet I am unsuccessful.  I was wondering if anything sticks out to anyone as something this guide failed to mention? The tunnel is configured properly and comes up no problem, but traffic will not pass between the two networks.

UTM1 network - 192.168.0.0/22
UTM1 "fake" NATed Network - 172.21.0.0/22
Outgoing Rule - 1:1 NAT Map Source, Local Network > Any > Remote NATed Lan = Source translation: Local NATed Lan
Incoming Rule - 1:1 NAT Map Destination, Remote NATed Lan > Any > Local NATed Lan = Destination translation: Local Network

UTM2 network - 192.168.0.0/22
UTM2 "fake" NATed Network - 172.22.0.0/22
Outgoing Rule - 1:1 NAT Map Source, Local Network > Any > Remote NATed Lan = Source translation: Local NATed Lan
Incoming Rule - 1:1 NAT Map Destination, Remote NATed Lan > Any > Local NATed Lan = Destination translation: Local Network

I used all the automatic firewall rules as well.

I used the /22 network as my fake NATed lan because it would not let me create 1:1 Nat between networks of different sizes.  Let me know if anyone has an idea where I should start looking.

Thanks, Matt



This thread was automatically locked due to age.
Parents
  • Hi Matt and welcome to the UTM Community!

    Does More VPN between same subnets help?

    If not, please show pictures of the Edits of the IPsec Connection and Remote Gateway for both sides.  Also, confirm that DPD and NAT-T are selected on the 'Advanced' tab and that your NAT rules have 'Automatic firewall rule' selected in both UTMs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Matt and welcome to the UTM Community!

    Does More VPN between same subnets help?

    If not, please show pictures of the Edits of the IPsec Connection and Remote Gateway for both sides.  Also, confirm that DPD and NAT-T are selected on the 'Advanced' tab and that your NAT rules have 'Automatic firewall rule' selected in both UTMs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks for the reply Bob,

    Below are the settings for both the remote and local IPsec connections. DPD and Nat-t are both enabled on each side.  Auto firewall rule box is checked on both the IPsec settings and the NAT settings. 

    One thing I forgot to mention in the original post is that the two sites are currently connected via a 56k two-wire circuit through the telephone company.  The hardware on this connection is two 16 year old Cisco 1700 series routers.  This connection is up and operating but it has become very unreliable as of late, so the time to replace it has come.  This is a 24/7 control center operating an asset about 50 miles away, so I cant just shut the old off and keep it off until I get the new connection talking. In order to test it I start a continual ping from the local site to the remote site and then do a reload command on the Cisco.  I know this could be the root of my problem but I don't know what settings I need to look at in this situation. Back 20 years ago when I took Cisco class this was called Spanning tree protocol?  Anyway I thought this was NOT a small detail to leave out haha.

    Local Side IPsec settings

    Local Side IPsec Remote Gateway

    Remote Side IPsec Settings

    Remote Side IPsec Remote Gateway

  • That looks perfect to me, Matt.  How about a picture of the 'Site-to-site VPN Tunnel Status' from both sides as in my picture below.

    What "traffic" won't pass?  Is there anything in either firewall log?  What about Intrusion Prevention and Application Control?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Intrusion Protection is off on both sides. I don't have web protection enabled on either side, not even licensed for it. Below are the pics of the Tunnel status.  So when I am trying to test this link I take the old Cisco 56k connection down by rebooting the local router.  During the 5 minutes or so that it takes to reboot I check connection with ping, VNC to remote machine, also the control software that the operators use.  Nothing will talk to the remote side.  Is the Sophos seeing this link and so it is not routing anything over the VPN? I was wondering about maybe hitting reboot on that router then maybe somehow clearing the route cache on both UTM's, see if it then picks that route up.  I have a few old machines I may download the UTM iso and set up a small lab. I have also attached a network diagram to give you a better idea the situation but idk if the resolution is going to work.

    Local tunnel status

    Remote tunnel status

    Network diagram


    Thanks Bob

  • Looks good, Matt, so it's gotta be in the routing.  What are the relevant entries on the 'Routes Table' tab in 'Support >> Advanced'?

    Still, you should check the Intrusion Prevention log as disabling IPS does not disable 'UDP Flood Protection' - see #1 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    The only LAN relevant entries on either side are:

    192.168.0.0/22 dev eth0 proto kernel scope link src 192.168.0.190
    broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.190

    Is there a good way to clear this route cache?  If so I could remove the link that I want to replace, clear the caches on both sides, then have it learn the new route.

    Matt

  • I'd think the safest way would be to reboot the UTMs, Matt.  If that doesn't resolve this, I'd be tempted to get Sophos Support involved to get fresh eyes on the devices.

    You will want to link them to your thread here so they can see that a lot has been checked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA