Routing VPN IPSEC

Hi Cpsilva 

Thank you for reaching out to the Community! 

Was this Link2 from your Headquarters part of the IPsec tunnel or on the local network?

Please provide the screenshots of your IPsec configuration, including configured networks.

Thanks, 

Hi Cpsilva 

Thank you for reaching out to the Community! 

Was this Link2 from your Headquarters part of the IPsec tunnel or on the local network?

Please provide the screenshots of your IPsec configuration, including configured networks.

Thanks, 

Hi.

thanks for the feedback.

--Was this Link2 from your Headquarters part of the IPsec tunnel or on the local network?
Link2 is a VPN with a systems company. At Headquarters we use it to download updates. But at the branch we cannot install this Link.

- Config Branch OFFICE

- Config Head OFFICE

- Capture
This capture was collected at the HeadOffice Firewall. We can see that the icmp request arrives. I think we need to forward this connection to Link2.

Thanks

I tried a Policy Routing and was unable to connect.

Policy routing (any kind of external routing) does not work for a policy-based IPsec.

All the required routing is already created by the IPsec.

Just a basic question to check the "simple" solution:

• Did you check that the firewall rules on both sides correspond to the traffic you want to pass through it?

Hi.

 --

• Did you check that the firewall rules on both sides correspond to the traffic you want to pass through it?

Does the remote network on the link(or host 10.192.43.106 on the link)  know how to get back to branch office network? 

-- Does the remote network on the link(or host 10.192.43.106 on the link)  know how to get back to branch office network? 

Ok, so Link2 is another VPN connection? I didnt fully understand that in your previous response sorry. 

If it is another VPN,  do you have the Branch office subnet in that Link2 IPSEC connection?   If not, you would need to add that branch office subnet to the SA setup on the link or on the HQ firewall source NAT any traffic from Branch net destined to Link2 Net with the address of the HQ Interface I would think.

Nevermind.  Based on your addressing for the link2 -  that looks like a local connection between buildings or ELAN or something perhaps?

What does a traceroute from Link2 Network to Branch office look like?

-Scott

Hi.

Sorry I didn't understand the answer.
I will try to be more clear.
It has a VPN with a cisco. Cisco delivers the internal network 10.192.43.xx, this internal network is the IP 10.192.43.106 that I need to access. Thus, the connection of the "BO" does not access the VPN to communicate with this IP. Routes are returned automatically.
In "HO" all networks are able to communicate with this Link2.

The 10.192.43xx network is being delivered in the IPSEC tunnel. I think this is right.

A new topology follows.

I did an XG traceroute from "BO" to "HO". The package stops at "HO" as shown.

Ok so Link2 it is a VPN from HO Sophos to Cisco(10.192.43.0/25)

I could be wrong here(if I am , someone please correct me),  but I think you need to make sure you have the 192.168.50.0/24  setup in the VPN between the HO Sophos and the Cisco. Do you have that?  If a network is not included in the local/remote sides of the VPN setup, it's not getting routed (unless you source nat traffic from 50.X going to 10.192.43.0/25  to look like it's coming from 192.168.0.1 or something).

-Scott

Hi.
The VPN is established from the cisco to another cisco. There is no VPN between Sophos HO and Cisco, only the local network (10.192.43.xx) that is on the cisco local internface. This network as I understand it is not part of the Cisco VPN tunnel. We use this 10.192.43.xx network to route other networks via the statistical route, such as 10.33.x.x 10.50.x.x ....

I may be mistaken, correct me, but we do not need to have a route to the VPN, as we did not reach the cisco with the connection.

Here is a new image to demonstrate what I am talking about. If you need to be clearer please ask.