This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN remote network routing issue

Hi,
I have three company site with one ASG120 and two ASG220 normally connected in a full mesh topology VPN network.
I have defined three VPN connections: SiteA-SiteB SiteA-SiteC SiteB-SiteC
Site A:
Local network: 192.168.100.0/24
Remote network: 192.168.99.0/24 (Site B)

Local network: 192.168.100.0/24
Remote network: 192.168.101.0/24 (Site C)

Site B
Local network: 192.168.99.0/24
Remote network: 192.168.100.0/24 (Site A)

Local network: 192.168.99.0/24
Remote network: 192.168.101.0/24 (Site C)


Site B
Local network: 192.168.101.0/24
Remote network: 192.168.100.0/24 (Site A)

Local network: 192.168.101.0/24
Remote network: 192.168.99.0/24 (Site B)

Now I would realize a star topology VPN network: SiteA-SiteB SiteA-SiteC.
The hosts in siteC should ping the hosts in siteB without direct VPN connection.
I realize this:

Site A:
Local network: 192.168.100.0/24 and 192.168.101.0 (SiteC)
Remote network: 192.168.99.0/24 (Site B)

Local network: 192.168.100.0/24
Remote network: 192.168.101.0/24 (Site C)

Site B
Local network: 192.168.99.0/24
Remote network: 192.168.100.0/24 (Site A) and 192.168.101.0/24 (SiteC)

All the connections are UP (green) but i can't ping SiteC from SiteB . I can ping SiteB and C from Site A.
Paket filter is setup to allow traffic from B to C.

Any help would be appreciated,

Alex


This thread was automatically locked due to age.
Parents
  • maybe I missunderstand some infos. so I made a demo configuration at a Lab.
    3xASG120

    Site A
      192.168.0.0/24
      Official IP:x.x.x.x

    Site B

    192.168.1.0/24
    Official IP:y.y.y.y


    Site C

    192.168.2.0/24
    Official IP:z.z.z.z


    Step by Step:

    download x509 Certifacte from site B named it "FromSite-B"  importet at site A
    download x509 Certifacte from site C named it "FromSite-C"  importet at site A
    download x509 Certificate from Site A named it "Fromsite-A  importet at site-B and site-C

    Konfiguration at Site-A
    Site-to-site VPN
      IPSEC
         Remote Gateways
                      Name: site-B
                      Gateway Type: Initiate connection
                      Gateway: created with +  GW-site-B
           iP: Official IP from site-B
                                                           Interface External-WAN (official Ip from Site-A)
                     Authentication Type: Local X509 Certificate
                     Certificate: FromSite-B
                     Remote Network: Lan from Site-B
    Site-to-site VPN
      IPSEC
         Connections
             Name: SiteA-to-SiteB
             remote Gateway: Site-B
             Local Interface: External Wan
             Policy: AES256
             local Networks: with + create name:Supernet
                                                        type:  Network
                                                        Address 192.168.0.0/16
                                                        Interface: Internal
                                                        Netmask:/16 (255.255.0.0)
                                                        auto packet filter: yes (if you like to check traffic set no and configure a packet filter)
                                                        strict routing: no

    I did the same for Site-C


    Next: Konfiguration at Side-B and side-C

    Site-to-site VPN
      IPSEC
         Remote Gateways
                      Name: site-A
                      Gateway Type: Initiate connection
                      Gateway: created with +  GW-site-A
           iP: Official IP from site-A
                                                           Interface External-WAN (official Ip from Site-B)
                     Authentication Type: Local X509 Certificate
                     Certificate: FromSite-A
                     Remote Network: Create with + Name: Supernet
                                                                  Type: Network
                                                                  Address:192.168.0.0
                                                                  Interface: any
                                                                  Netmask: /16(255.255.0.0)

    Site-to-site VPN
      IPSEC
         Connections
             Name: SiteB-to-SiteA
             remote Gateway: Site-A
             Local Interface: External Wan
             Policy: AES256
             local Networks:  Internal (Network)
                                                        auto packet filter: yes
                                                        strict routing: no


    This worked for me: ping from site-C to site-B--->ok viceversa --->ok site-A to site-C-->ok
Reply
  • maybe I missunderstand some infos. so I made a demo configuration at a Lab.
    3xASG120

    Site A
      192.168.0.0/24
      Official IP:x.x.x.x

    Site B

    192.168.1.0/24
    Official IP:y.y.y.y


    Site C

    192.168.2.0/24
    Official IP:z.z.z.z


    Step by Step:

    download x509 Certifacte from site B named it "FromSite-B"  importet at site A
    download x509 Certifacte from site C named it "FromSite-C"  importet at site A
    download x509 Certificate from Site A named it "Fromsite-A  importet at site-B and site-C

    Konfiguration at Site-A
    Site-to-site VPN
      IPSEC
         Remote Gateways
                      Name: site-B
                      Gateway Type: Initiate connection
                      Gateway: created with +  GW-site-B
           iP: Official IP from site-B
                                                           Interface External-WAN (official Ip from Site-A)
                     Authentication Type: Local X509 Certificate
                     Certificate: FromSite-B
                     Remote Network: Lan from Site-B
    Site-to-site VPN
      IPSEC
         Connections
             Name: SiteA-to-SiteB
             remote Gateway: Site-B
             Local Interface: External Wan
             Policy: AES256
             local Networks: with + create name:Supernet
                                                        type:  Network
                                                        Address 192.168.0.0/16
                                                        Interface: Internal
                                                        Netmask:/16 (255.255.0.0)
                                                        auto packet filter: yes (if you like to check traffic set no and configure a packet filter)
                                                        strict routing: no

    I did the same for Site-C


    Next: Konfiguration at Side-B and side-C

    Site-to-site VPN
      IPSEC
         Remote Gateways
                      Name: site-A
                      Gateway Type: Initiate connection
                      Gateway: created with +  GW-site-A
           iP: Official IP from site-A
                                                           Interface External-WAN (official Ip from Site-B)
                     Authentication Type: Local X509 Certificate
                     Certificate: FromSite-A
                     Remote Network: Create with + Name: Supernet
                                                                  Type: Network
                                                                  Address:192.168.0.0
                                                                  Interface: any
                                                                  Netmask: /16(255.255.0.0)

    Site-to-site VPN
      IPSEC
         Connections
             Name: SiteB-to-SiteA
             remote Gateway: Site-A
             Local Interface: External Wan
             Policy: AES256
             local Networks:  Internal (Network)
                                                        auto packet filter: yes
                                                        strict routing: no


    This worked for me: ping from site-C to site-B--->ok viceversa --->ok site-A to site-C-->ok
Children
No Data