Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 985 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site Connection with local resource issue

Sophos User1137

Hi,

We have 2 sites connected using an IPSec connection, on our XG Firewalls, that require access to both sites local resources. 

Site A (HQ) - Local Resource  ( Can access Resource on Site B )

Site B (Branch) - Local Resource ( Cannot Access Resource on Site A) 

 

Site A General Settings IP Sec Connections (XG430)

  • Connection type - Site-to-Site 
  • Gateway type - Initiate the connection 

Site A Encryption

  • Policy - IKEv2 
  • Authentication type - Preshared Key

Gateway Settings

  • Listening interface – Public IP Address (Site A)
  • Local ID type : IPADDRESS
  • Local Subnet 
    • 10.242.2.0 /24
    • 192.168.0.0 /23
    • 10.3.2.0 /23 
    • 10.3.6.0 /23 
    • 10.3.8.0 /23
  • Gateway Address (Public IP Address) Site B
  • Remote ID Type - IP Address 
  • Remote ID - PUBLIC IP Address 
  • Remote Subnets
    • 192.168.130.0 /24 
    • 192.168.82.253 (XG 115 Site C)
    • 10.242.8.0 /24 

  

Site B General Settings IP Sec Connections (XG230)

  • Connection type - Site-to-Site 
  • Gateway type – Respond Only 

Site B Encryption

  • Policy - IKEv2 
  • Authentication type - Preshared Key

Gateway Settings

  • Listening interface – Public IP Address (Site B)
  • Local ID type : IPADDRESS
  • Local Subnet 
    • 192.168.130.0 /24 
    • 192.168.82.253 (XG-115 Site C) 
    • 10.242.8.0 /24 
  • Gateway Address (Public IP Address) Site A
  • Remote ID Type - IP Address 
  • Remote ID - PUBLIC IP Address 
  • Remote Subnets
    • 10.242.2.0 /24
    • 192.168.0.0 /23
    • 10.3.2.0 /23 
    • 10.3.6.0 /23 
    • 10.3.8.0 /23

 

any help would be much appreciated

BR,

CJ

 

 



This thread was automatically locked due to age.
  • 0

    Hi  : When you generate PING from any machine behind site B for site A end network IPs, are we getting packets out via IPsec on XG GUI packet capture utility? It may possible BO end XG, SD-WAN route precedence has a higher preference than VPN, and any existing SD-WAN rule is configured with destination Any which is forwarding VPN traffic as well to SD-WAN rule. Please check if any such scenario is applicable to site B if yes then tweak the route precedence and confirm the status for traffic again via GUI packet capture.