This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing Problem

Hi, i'm facing a little problem i can't solve.

Theres two offices, site A and site B.

Site a has a Sophos XG , site B don't, they go online via an AVM Router (FritzBox). The sites are connectetd via IPSEC VPN from site B's Sophos to site B's AVM Router (FritzBox2).

So on site A theres a host (192.168.1.3) that need to connect to a public ip via a Connector-Device that sits on site B. We tried adding a route an the host:

"route add 100.102.0.0 mask 255.255.0.0 192.168.137.220" but that didn't do the trick.

If i trace route the IP adress i need to connect to i get:

  1    <1 ms    <1 ms    <1 ms  192.168.1.254
  2    <1 ms    <1 ms    <1 ms  192.168.2.254
  3  p3e9bf07d.dip0.t-ipconnect.de [62.155.240.125]  meldet: Zielnetz nicht erre
ichbar.

So it seems i'm not even reaching the 192.168.137.0 net on site B.

Of course i can ping the Connector-Device on Site B just fine:

Ping wird ausgeführt für 192.168.137.220 mit 32 Bytes Daten:
Antwort von 192.168.137.220: Bytes=32 Zeit=17ms TTL=62
Antwort von 192.168.137.220: Bytes=32 Zeit=15ms TTL=62
Antwort von 192.168.137.220: Bytes=32 Zeit=15ms TTL=62
Antwort von 192.168.137.220: Bytes=32 Zeit=16ms TTL=62

Ping-Statistik für 192.168.137.220:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 15ms, Maximum = 17ms, Mittelwert = 15ms

Do i need to add a route on the Sophos on site A? The important thing is that this route is only valid for the specific host, so no other host in site A would take that way.

I tried painting the situation to make it a little more clear. Feel free to ask if i failed to give sufficient information.

Thank you!

This thread was automatically locked due to age.

Top Replies

jprusch over 3 years ago in reply to 148Points +1

Yes, try to set a route to 100.102.0.0 with gw 192.168.137.254 just for a quick test. We can refine this later.

Parents

0 jprusch over 3 years ago

Hello Tobias,

two things: IP is never "OneWay". Of course you have to have a route back to that host 192.168.1.3 from your other net.

What your diagram doesn't show is the gateway ip on each of the sites. I understand you have a tranfernet 192.168.2.0/24 between the Sophos XG and the Fritzbox1.

Could you add those IPs to the diagram? On Fritzbox2 as well?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jprusch over 3 years ago

Hello Tobias,

two things: IP is never "OneWay". Of course you have to have a route back to that host 192.168.1.3 from your other net.

What your diagram doesn't show is the gateway ip on each of the sites. I understand you have a tranfernet 192.168.2.0/24 between the Sophos XG and the Fritzbox1.

Could you add those IPs to the diagram? On Fritzbox2 as well?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 148Points over 3 years ago in reply to jprusch

Hallo Philipp, thanks for your reply and for your advice. I added the Gateway IPs in the picture.

Yes, that's a transfer-net between the Sophos and FritzBox1 on Site A.

Basically, the 192.168.1.0 Network ist the local LAN for the Sophos, with 192.168.1.254 as the Gateway(and Sophos-Interface-)-IP. The the Sophos WAN Interface-IP is 192.168.2.1 and the FritzBox 1 has 192.168.2.254 as it's Interface IP.

Then on Site B we only have FritzBox2 and 192.168.137.254 as the Gateway for the local LAN.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to 148Points

Hello,

so the tunnel is defined on both FritzBoxes? And not like in your diagram?

Otherwise, host 192.168.137.220 would not "see" 192.168.2.254.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 148Points over 3 years ago in reply to jprusch

No, the tunnel is only between Sophos and FritzBox2. I'm pretty sure Site B doesn't know about 192.168.2.0/24 but i can't check right now, since i only have acces to hosts on Site A plus the FritzBox on SiteB.

Will adding the route to 192.168.2.0 to the FritzBox2 help?
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to 148Points

No, that won't help. Please show us the screenshot of the edit of the tunnel-definition on the XG.

And a screenshot of the IPsec-SA when the tunnel is up.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 148Points over 3 years ago in reply to jprusch

Hi, with SA do you mean the policy?
Cancel
Vote Up 0 Vote Down

Cancel
0 BeEf over 3 years ago in reply to 148Points

Hello Tobias,

is this tunnel based vpn oder policy based?

In either case there need to be firewall rules on the sophos best in both directions (and maybe on the FritzBoxes als well). These must include the network 10.102.0.0/16.

If it is tunnel based you need to route 192.168.137.220 and 10.102.0.0/16 through the tunnel interface from A to B and the network 192.168.1.0/24 from B to A.

If it is policy based IPSec the configuration needs to contain 10.102.0.0/16 in the IPSec definition on both sites.

If you don't reach 192.168.137.0/24 from a then the IPSec configuration is not working. It is also a good Idee to test in both directions.
I also think the Fritz Box2 is not very relevant for the scenario as this only provides an internet connection.

Regards,
BeEf
Cancel
Vote Up 0 Vote Down

Cancel
0 148Points over 3 years ago in reply to BeEf
Hi BeEf, thank you for your reply.

I think you've misread some things, though.

We can reach 192.168.137.0/24 from site A just fine, we just want the Host 1 on Site A to take the route to the public network 100.102.0.0/16 via the Connector on site B (192.168.137.220).

But i don't know how to achieve this, it seems when i trace an adress on 100.102.0.0 it doesn't seem to go through the tunnel but goes directly to WAN via the FritzBox1.

1 <1 ms <1 ms <1 ms 192.168.1.254 2 <1 ms <1 ms <1 ms 192.168.2.254 3 p3e9bf07d.dip0.t-ipconnect.de [62.155.240.125] meldet: Zielnetz nicht erre ichbar.

Oh and FritzBox2 doesn't only provide an internet connection but actually establishes the IPSEC tunnel.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to 148Points

Hello Tobias,

could you do a traceroute from host 192.168.1.3 to 192.168.137.220 ?

while the route to gw 192.168.137.220 is still set?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

0 148Points over 3 years ago in reply to jprusch

Sure thing:

C:\Users\Administrator.XXXXX>route add 100.102.0.0 mask 255.255.0.0 192.168.13
7.220
 OK!

C:\Users\Administrator.XXXX>tracert 192.168.137.220

Routenverfolgung zu 192.168.137.220 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.254
  2    17 ms    16 ms    16 ms  192.168.137.220
  3    18 ms    15 ms    15 ms  192.168.137.220

Ablaufverfolgung beendet.

C:\Users\Administrator.XXXX>tracert 100.102.6.8

Routenverfolgung zu 100.102.6.8 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.254
  2    <1 ms    <1 ms    <1 ms  192.168.2.254
  3  p3e9bf07d.dip0.t-ipconnect.de [62.155.240.125]  meldet: Zielnetz nicht erre
ichbar.

Ablaufverfolgung beendet.

So this is exactly my problem, the ping/trace to 100.102.x.x doesn't go through the tunnel...while the ping to 192.168.137.220 goes through the tunnel (hopping only 192.168.1.254 but not 192.168.2.254!!).

In my head i imagine i must set a route on the Sophos for it to know that it should route from 192.168.1.3 through the tunnel to 192.168.137.220... but only from that host and only for connections to 100.102.0.0.

The rest of the 192.168.1.0-network should just use it's deafult route/gateway.

0 jprusch over 3 years ago in reply to 148Points

Yes, try to set a route to 100.102.0.0 with gw 192.168.137.254 just for a quick test. We can refine this later.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel

Routing Problem

Top Replies

Submitted a Tech Support Case lately from the Support Portal?