Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 2059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing VPN IPSEC

Cpsilva

Good night.

We have an IPSEC VPN between our branch and our headquarters.
In our Branch, we need to access an IP address that is in a Link in our Headquarters. We managed to get to the headquarters, but we were unable to forward the connection to the link.

The branch accesses IP 10.192.43.106 which is in Link2 of the Headquarters.
I would like a suggestion on how to proceed in this case.

I followed what is in this topic but it didn't work: https://community.sophos.com/products/xg-firewall/f/network-and-routing/111938/site-to-site-vpn-and-static-routing

A topology of the environment follows.

 

 


This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    Was this Link2 from your Headquarters part of the IPsec tunnel or on the local network?

    Please provide the screenshots of your IPsec configuration, including configured networks.

    Thanks, 

  • 0 in reply to FormerMember

    Hi.

    thanks for the feedback.


    --Was this Link2 from your Headquarters part of the IPsec tunnel or on the local network?
    Link2 is a VPN with a systems company. At Headquarters we use it to download updates. But at the branch we cannot install this Link.

     

    - Config Branch OFFICE

     

     


    - Config Head OFFICE

     


    - Capture
    This capture was collected at the HeadOffice Firewall. We can see that the icmp request arrives. I think we need to forward this connection to Link2.

    Thanks

     

     

     
  • 0 in reply to Cpsilva

    I tried a Policy Routing and was unable to connect.

     

     
  • 0 in reply to Cpsilva

    Policy routing (any kind of external routing) does not work for a policy-based IPsec.

    All the required routing is already created by the IPsec.

     

    Just a basic question to check the "simple" solution:

    • Did you check that the firewall rules on both sides correspond to the traffic you want to pass through it?
  • 0 in reply to AlexanderPoettinger

    Hi.

     --

    • Did you check that the firewall rules on both sides correspond to the traffic you want to pass through it?
     In order to test, I made a rule releasing everything between the two units.
    Follow her.
     
     
    This capture is at the firewall in the Head Office, it is a ping from the Branch office to HeadOffice.
    it looks like the package dies right here. It looks like it needs to be forwarded.
     
     
     
     
  • 0 in reply to Cpsilva

    Does the remote network on the link(or host 10.192.43.106 on the link)  know how to get back to branch office network? 

  • 0 in reply to Scott_D_L

    -- Does the remote network on the link(or host 10.192.43.106 on the link)  know how to get back to branch office network? 

    Hi, thanks for the reply.
    Yes. It has no network restrictions. At HeadOffice it returns on all the networks we create.

     

     

     
  • 0 in reply to Cpsilva

    Ok, so Link2 is another VPN connection? I didnt fully understand that in your previous response sorry. 

    If it is another VPN,  do you have the Branch office subnet in that Link2 IPSEC connection?   If not, you would need to add that branch office subnet to the SA setup on the link or on the HQ firewall source NAT any traffic from Branch net destined to Link2 Net with the address of the HQ Interface I would think.

     

    Nevermind.  Based on your addressing for the link2 -  that looks like a local connection between buildings or ELAN or something perhaps?

     

    What does a traceroute from Link2 Network to Branch office look like?

     

    -Scott

Reply
  • 0 in reply to Cpsilva

    Ok, so Link2 is another VPN connection? I didnt fully understand that in your previous response sorry. 

    If it is another VPN,  do you have the Branch office subnet in that Link2 IPSEC connection?   If not, you would need to add that branch office subnet to the SA setup on the link or on the HQ firewall source NAT any traffic from Branch net destined to Link2 Net with the address of the HQ Interface I would think.

     

    Nevermind.  Based on your addressing for the link2 -  that looks like a local connection between buildings or ELAN or something perhaps?

     

    What does a traceroute from Link2 Network to Branch office look like?

     

    -Scott

Children
  • 0 in reply to Scott_D_L

    Hi.

    Sorry I didn't understand the answer.
    I will try to be more clear.
    It has a VPN with a cisco. Cisco delivers the internal network 10.192.43.xx, this internal network is the IP 10.192.43.106 that I need to access. Thus, the connection of the "BO" does not access the VPN to communicate with this IP. Routes are returned automatically.
    In "HO" all networks are able to communicate with this Link2.

    The 10.192.43xx network is being delivered in the IPSEC tunnel. I think this is right.

    A new topology follows.

     

    I did an XG traceroute from "BO" to "HO". The package stops at "HO" as shown.

     

     
  • 0 in reply to Cpsilva

    Ok so Link2 it is a VPN from HO Sophos to Cisco(10.192.43.0/25)

     

    I could be wrong here(if I am , someone please correct me),  but I think you need to make sure you have the 192.168.50.0/24  setup in the VPN between the HO Sophos and the Cisco. Do you have that?  If a network is not included in the local/remote sides of the VPN setup, it's not getting routed (unless you source nat traffic from 50.X going to 10.192.43.0/25  to look like it's coming from 192.168.0.1 or something).

     

    -Scott

  • 0 in reply to Scott_D_L

    Hi.
    The VPN is established from the cisco to another cisco. There is no VPN between Sophos HO and Cisco, only the local network (10.192.43.xx) that is on the cisco local internface. This network as I understand it is not part of the Cisco VPN tunnel. We use this 10.192.43.xx network to route other networks via the statistical route, such as 10.33.x.x 10.50.x.x ....

    I may be mistaken, correct me, but we do not need to have a route to the VPN, as we did not reach the cisco with the connection.

    Here is a new image to demonstrate what I am talking about. If you need to be clearer please ask.

     
  • 0 in reply to Cpsilva

    Somehow this is getting quite complicated.

     

    What kind of connecton do you have between the Sophos HO and the Cisco behind which the network 10.192.43.0/24 lies?

    At the moment your screenshots don't make any sense to me.

    The connection between the two Sophos is a policy-based IPsec

    The connection between the Sophos HO and the Cisco is it a direct connection? Why do you need to define a WAN interface in the direction to the Cisco?

    My routings "antennas" tells me something here is not right.

    But your information is too patchy for me to put my fingers in the real problem.

    May I suggest that before doing try-and-error on the devices you create an Excel sheet where you define:

    • All the networks you are working with
    • The routers that connect them
    • The routings you need to have them talk together

    Routings are like chains on a geared system.
    Only if the chain-link between all the required components is connected both ways, will the packets run the lenght of you network and the answers know hot to get correctly back to their source.

    If any link is missing, the packets (usually the answer) go elliptical and are ejected from the internal network orbit out through the WAN interface to the internet universe, never to be seen again :-)

    In your case the needed routings are:

    • BO Sophos
      • 192.168.0.0/24 -> IPsec to HO Sophos (through IPsec policy)
      • 10.192.43.0/24  -> IPsec to HO Sophos (through IPsec policy)
    • HO Sophos
      • 192.168.50.0/24 -> IPsec to BO Sophos (through IPsec policy)
      • 10.192.43.0/24 -> Connection to Cisco (how?)
    • Cisco
      • 192.168.0.0/24 -> Connection to HO Sophos (how?)
      • 192.168.50.0/24 -> Connection to HO Sophos (how?)

    And of course all the firewall rules need to fit the required traffic too.

  • 0 in reply to AlexanderPoettinger

    Hi.

     

    I will answer the questions, it may be clearer. because I don't know all the routes that I need to establish.

    Please ask me more questions so that I can clarify this problem.

     

    --The connection between the Sophos HO and the Cisco is it a direct connection? Why do you need to define a WAN interface in the direction to the Cisco?

    R: It is a direct connection. I don't know why, but I believe it is a standard established by the system company (car manufacturer).

     

    • BO Sophos
      • 192.168.0.0/24 -> IPsec to HO Sophos (through IPsec policy)
      • 10.192.43.0/24  -> IPsec to HO Sophos (through IPsec policy)
    • HO Sophos
      • 192.168.50.0/24 -> IPsec to BO Sophos (through IPsec policy)
      • 10.192.43.0/24 -> Connection to Cisco (how?) = Direct connection, via WAN.
    • Cisco
      • 192.168.0.0/24 -> Connection to HO Sophos (how?) = Direct connection, via WAN.
      • 192.168.50.0/24 -> Connection to HO Sophos (how?) = This I don't know how to inform. Because it is what I need to "forward" to the WAN interface.

    Answer me if you need more information. Thank you