Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 2059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing VPN IPSEC

Cpsilva

Good night.

We have an IPSEC VPN between our branch and our headquarters.
In our Branch, we need to access an IP address that is in a Link in our Headquarters. We managed to get to the headquarters, but we were unable to forward the connection to the link.

The branch accesses IP 10.192.43.106 which is in Link2 of the Headquarters.
I would like a suggestion on how to proceed in this case.

I followed what is in this topic but it didn't work: https://community.sophos.com/products/xg-firewall/f/network-and-routing/111938/site-to-site-vpn-and-static-routing

A topology of the environment follows.

 

 


This thread was automatically locked due to age.
  • 0 in reply to Scott_D_L

    Hi.
    The VPN is established from the cisco to another cisco. There is no VPN between Sophos HO and Cisco, only the local network (10.192.43.xx) that is on the cisco local internface. This network as I understand it is not part of the Cisco VPN tunnel. We use this 10.192.43.xx network to route other networks via the statistical route, such as 10.33.x.x 10.50.x.x ....

    I may be mistaken, correct me, but we do not need to have a route to the VPN, as we did not reach the cisco with the connection.

    Here is a new image to demonstrate what I am talking about. If you need to be clearer please ask.

     
  • 0 in reply to Cpsilva

    Somehow this is getting quite complicated.

     

    What kind of connecton do you have between the Sophos HO and the Cisco behind which the network 10.192.43.0/24 lies?

    At the moment your screenshots don't make any sense to me.

    The connection between the two Sophos is a policy-based IPsec

    The connection between the Sophos HO and the Cisco is it a direct connection? Why do you need to define a WAN interface in the direction to the Cisco?

    My routings "antennas" tells me something here is not right.

    But your information is too patchy for me to put my fingers in the real problem.

    May I suggest that before doing try-and-error on the devices you create an Excel sheet where you define:

    • All the networks you are working with
    • The routers that connect them
    • The routings you need to have them talk together

    Routings are like chains on a geared system.
    Only if the chain-link between all the required components is connected both ways, will the packets run the lenght of you network and the answers know hot to get correctly back to their source.

    If any link is missing, the packets (usually the answer) go elliptical and are ejected from the internal network orbit out through the WAN interface to the internet universe, never to be seen again :-)

    In your case the needed routings are:

    • BO Sophos
      • 192.168.0.0/24 -> IPsec to HO Sophos (through IPsec policy)
      • 10.192.43.0/24  -> IPsec to HO Sophos (through IPsec policy)
    • HO Sophos
      • 192.168.50.0/24 -> IPsec to BO Sophos (through IPsec policy)
      • 10.192.43.0/24 -> Connection to Cisco (how?)
    • Cisco
      • 192.168.0.0/24 -> Connection to HO Sophos (how?)
      • 192.168.50.0/24 -> Connection to HO Sophos (how?)

    And of course all the firewall rules need to fit the required traffic too.

  • 0 in reply to AlexanderPoettinger

    Hi.

     

    I will answer the questions, it may be clearer. because I don't know all the routes that I need to establish.

    Please ask me more questions so that I can clarify this problem.

     

    --The connection between the Sophos HO and the Cisco is it a direct connection? Why do you need to define a WAN interface in the direction to the Cisco?

    R: It is a direct connection. I don't know why, but I believe it is a standard established by the system company (car manufacturer).

     

    • BO Sophos
      • 192.168.0.0/24 -> IPsec to HO Sophos (through IPsec policy)
      • 10.192.43.0/24  -> IPsec to HO Sophos (through IPsec policy)
    • HO Sophos
      • 192.168.50.0/24 -> IPsec to BO Sophos (through IPsec policy)
      • 10.192.43.0/24 -> Connection to Cisco (how?) = Direct connection, via WAN.
    • Cisco
      • 192.168.0.0/24 -> Connection to HO Sophos (how?) = Direct connection, via WAN.
      • 192.168.50.0/24 -> Connection to HO Sophos (how?) = This I don't know how to inform. Because it is what I need to "forward" to the WAN interface.

    Answer me if you need more information. Thank you