Able to establish a connection between sites, but cannot route traffic back and forth to see devices on each side. Cant ping any devices on either end.
Do you have local and remote networks set properly on both sides? Is each sides internal networks that you're trying to connect addressed as different subnets (one side 192.168.1.x and the other 192.168.2.x, for example)? Are you using automatic firewall rules? Are you trying to connect by IP, FQDN, or hostname?
__________________ ACE v8/SCA v9.3
...still have a v5 install disk in a box somewhere.
To answer both your questions both UTM's are running 9.310-11
Both local subnets are different on both sides one is 10.3.10.0, the other is 10.1.0.0, automatic firewall rules are set on each side, when I connect I connect by each sides public ip.
Using UDP as opposed to TCP.
I also followed these instructions on how to initially setup the Site to Site SSL VPN.
Sorry, I should have been more specific. Are you trying to connect to resource on the other side by IP, FQDN, or hostname? That is, if you are trying to connect from 10.3.10.12 to 10.1.0.12, are you using 10.1.0.12, fredspc.domain.com, or fredspc?
__________________ ACE v8/SCA v9.3
...still have a v5 install disk in a box somewhere.
In your initial post, you said "... cannot route traffic back and forth to see devices on each side. Cant ping any devices on either end."
First check #1 in Rulz to see if there's anything related to this issue. My guess is that you will find that the pings are being blocked - you'll probably see this in one of the logs.
If that's the case as I suspect, make a firewall rule in each UTM like '{remote network} -> Ping -> Internal (Network) : Allow'. I believe that selecting 'Automatic firewall rules' in the VPN definition does not include this rule.
I think that the 'Gateway forwards pings' selection on the 'ICMP' tab of 'Network Protection >> Firewall' only creates firewall rules like '{LANs "belonging" to this UTM} - Ping -> Internet : Allow'.
Any luck with that?
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Able to establish a connection between sites, but cannot route traffic back and forth to see devices on each side. Cant ping any devices on either end.
I really struggled with that as well. The only way I found to get through was to add a NAT rule that says any traffic coming in on the SSL VPN tunnel should be SNAT'd to look like it came from the internal network.
This was also the golden ticket for IPSec, PPTP, and L2TP. But in the case of PPTP and L2TP, where all traffic goes through the UTM, two NAT rules are required; one for the local network that SNAT's the source to the LAN address and one for everything else that SNAT's the source to the external WAN address.
Note:
- Test ping Internal LAN of each UTM
- PING maybe block by Server, PC because of difference subnet
- Netbios can't query through difference subnet, so can't ping name.
