Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 770 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue routing between Site-to-Site VPNs

IT Department58

I have a XGS 126, XGS 3300 and a Cisco 5512 with a site-to-site connected as follow

XGS 126 --> XGS 3300 --> ASA 5512

I have the 126 and 3300 connected via routes VPN and traffic is flowing between the tunnel without issue. 

XGS 126 local LAN is 10.1.10.0/24

XGS 3300 local LAN is 10.2.10.0/24

Cisco 5512 local LAN is 192.168.4.0/24

XGS 126 routes are configured as:


0.0.0.0 173.12.182.126 0.0.0.0 UG 0 0 0 Port2
4.4.4.0 0.0.0.0 255.255.255.0 U 0 0 0 xfrm1
10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 Port3.10
10.2.10.0 0.0.0.0 255.255.255.0 U 0 0 0 xfrm1
10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
173.12.182.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
192.168.2.0 0.0.0.0 255.255.254.0 U 0 0 0 Port3
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 xfrm1

XGS 3300 routes:

0.0.0.0 173.12.182.126 0.0.0.0 UG 0 0 0 Port2
3.3.3.0 0.0.0.0 255.255.255.0 U 0 0 0 xfrm1
10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 xfrm1
10.2.10.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1.20
10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
173.12.182.120 0.0.0.0 255.255.255.248 U 0 0 0 Port2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Port3
192.168.2.0 0.0.0.0 255.255.254.0 U 0 0 0 Port1
192.168.2.0 0.0.0.0 255.255.254.0 U 0 0 0 PortMGMT
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0

Cisco 5512 routes

S* 0.0.0.0 0.0.0.0 [1/0] via 50.201.35.37, outside
S 10.1.10.0 255.255.255.0 [1/0] via 50.201.35.37, outside
S 10.100.2.0 255.255.255.0 [1/0] via 192.168.4.2, inside
S 67.51.253.128 255.255.255.128 [1/0] via 192.168.4.2, inside
S 192.168.0.0 255.255.254.0 [1/0] via 192.168.4.2, inside
S 192.168.2.0 255.255.254.0 [1/0] via 192.168.4.2, inside
C 192.168.4.0 255.255.255.0 is directly connected, inside
L 192.168.4.1 255.255.255.255 is directly connected, inside
S 192.168.8.0 255.255.254.0 [1/0] via 192.168.4.2, inside
S 192.168.14.0 255.255.255.0 [1/0] via 192.168.4.2, inside
S 192.168.15.0 255.255.255.0 [1/0] via 192.168.4.2, inside
S 192.168.18.0 255.255.255.0 [1/0] via 192.168.4.2, inside
S 192.168.68.0 255.255.254.0 [1/0] via 192.168.4.2, inside
C 192.168.255.0 255.255.255.0 is directly connected, DMZ
L 192.168.255.1 255.255.255.255 is directly connected, DMZ
S 192.169.10.128 255.255.255.128 [1/0] via 192.168.4.2, inside
S 192.169.11.128 255.255.255.128 [1/0] via 192.168.4.2, inside

The firewall rules I have for both Sophos firewalls both have a VPN to VPN rule allowing traffing. When I do a traceroute from 10.1.10.0/24 it hites the Sophos xfrm1 virtual port with IP address 3.3.3.3

Tracing route to 192.168.4.6 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 10.1.10.1
2 2 ms 1 ms 1 ms 3.3.3.3
3 * * * Request timed out.

I also ran a constant ping from 10.1.10.0/24 and capture the packet on the XGS 3300 I can see the ICMP packet come in from the xfrm1 with a source IP address of 4.4.4.4 and destination of 192.168.4.6 leaving on the ipsec0 port. 

I am curious as to what my issue is. I have a feeling it is on the ASA side that is not configured quite right. 

I have the ipsec between the XGS 3300 and Cisco 5512 configured as followed:

5512:

Local Network is the inside network of 192.168.4.0/24

Remote Networks are 10.1.10.0 and 10.2.10.0

XGS 3300: 

Local Network 10.2.10.0/24

Remote Network 192.168.4.0/24

Any thoughts? 

Let me know if you need further info



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Are the packets leaving to the Cisco device, (this part wasn’t 100% clear to me), but if you do, try doing a tcpdump on the Cisco to see if you see the packets arriving there, it could be that the IP that the Cisco is seeing is the xFRM.

    Also in the routing table of cisco, I don't see the 10.2. network.

    Regards,

Reply
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Are the packets leaving to the Cisco device, (this part wasn’t 100% clear to me), but if you do, try doing a tcpdump on the Cisco to see if you see the packets arriving there, it could be that the IP that the Cisco is seeing is the xFRM.

    Also in the routing table of cisco, I don't see the 10.2. network.

    Regards,

Children
  • 0 in reply to emmosophos

    Packets are  leaving the 3300. Note I changed the virtual interface IPs on both the 126 and 3300 from 4.4.4.1 and 4.4.4.2 to 3.3.3.1 and 3.3.3.2. The source IP below is the 126 virtual interface. 

    I did a tcpdump on the ASA and I do not see this traffic hitting the ASA and also added a static route for 10.2.10.0. 

    I also noticed I had the wrong next hop gateway on the ASA, which was  50.201.35.37. The 3300 gateway is 173.12.182.125. The routing table now looks like this:  

    Gateway of last resort is 50.201.35.37 to network 0.0.0.0

    S* 0.0.0.0 0.0.0.0 [1/0] via 50.201.35.37, outside S 3.3.3.0 255.255.255.0 [1/0] via 173.12.182.125, outside S 10.1.10.0 255.255.255.0 [1/0] via 173.12.182.125, outside S 10.2.10.0 255.255.255.0 [1/0] via 173.12.182.125, outside S 10.100.2.0 255.255.255.0 [1/0] via 192.168.4.2, inside C 50.201.35.36 255.255.255.252 is directly connected, outside L 50.201.35.38 255.255.255.255 is directly connected, outside S 67.51.253.128 255.255.255.128 [1/0] via 192.168.4.2, inside S 172.16.0.0 255.255.0.0 [1/0] via 192.168.4.2, inside S 192.168.0.0 255.255.254.0 [1/0] via 192.168.4.2, inside S 192.168.2.0 255.255.254.0 [1/0] via 192.168.4.2, inside C 192.168.4.0 255.255.255.0 is directly connected, inside L 192.168.4.1 255.255.255.255 is directly connected, inside S 192.168.8.0 255.255.254.0 [1/0] via 192.168.4.2, inside S 192.168.14.0 255.255.255.0 [1/0] via 192.168.4.2, inside S 192.168.15.0 255.255.255.0 [1/0] via 192.168.4.2, inside S 192.168.18.0 255.255.255.0 [1/0] via 192.168.4.2, inside S 192.168.68.0 255.255.254.0 [1/0] via 192.168.4.2, inside C 192.168.255.0 255.255.255.0 is directly connected, DMZ L 192.168.255.1 255.255.255.255 is directly connected, DMZ S 192.169.10.128 255.255.255.128 [1/0] via 192.168.4.2, inside S 192.169.11.128 255.255.255.128 [1/0] via 192.168.4.2, inside

  • FormerMember
    0 FormerMember in reply to IT Department58
    IT Department58 said:

    5512:

    Local Network is the inside network of 192.168.4.0/24

    Remote Networks are 10.1.10.0 and 10.2.10.0

    XGS 3300: 

    Local Network 10.2.10.0/24

    Remote Network 192.168.4.0/24

    Assuming you've added 10.1.10.0/24 network under local subnet at XGS 330 end.

    IT Department58 said:

     

    As per the packet capture, it seems traffic to 192.168.4.0/24 network from XGS 126 is being translated(SNAT) with xfrm1 interface IP 3.3.3.1

    Now, as mentioned IPsec tunnel configured between XGS 3300 and Cisco 5512 has only below child SA information.

    10.1.10.0/24 | 10.2.10.0/24 | 192.168.4.0/24


    Try to forward LAN to VPN traffic from XGS 126 with original source(without SNAT) or you can add xfrm interface network(3.3.3.x) in IPsec tunnel configured between XGS 3300 and Cisco 5512.