Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 30 subscribers
  • Views 1477 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing Problem

148Points

Hi, i'm facing a little problem i can't solve.

Theres two offices, site A and site B.

Site a has a Sophos XG , site B don't, they go online via an AVM Router (FritzBox). The sites are connectetd via IPSEC VPN from site B's Sophos to site B's AVM Router (FritzBox2).

So on site A theres a host (192.168.1.3)  that need to connect to a public ip via a Connector-Device that sits on site B. We tried adding a route an the host:

"route add 100.102.0.0 mask 255.255.0.0 192.168.137.220" but that didn't do the trick.

If i trace route the IP adress i need to connect to i get:

  1    <1 ms    <1 ms    <1 ms  192.168.1.254
  2    <1 ms    <1 ms    <1 ms  192.168.2.254
  3  p3e9bf07d.dip0.t-ipconnect.de [62.155.240.125]  meldet: Zielnetz nicht erre
ichbar.

So it seems i'm not even reaching the 192.168.137.0 net on site B.

Of course i can ping the Connector-Device on Site B just fine:

Ping wird ausgeführt für 192.168.137.220 mit 32 Bytes Daten:
Antwort von 192.168.137.220: Bytes=32 Zeit=17ms TTL=62
Antwort von 192.168.137.220: Bytes=32 Zeit=15ms TTL=62
Antwort von 192.168.137.220: Bytes=32 Zeit=15ms TTL=62
Antwort von 192.168.137.220: Bytes=32 Zeit=16ms TTL=62

Ping-Statistik für 192.168.137.220:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 15ms, Maximum = 17ms, Mittelwert = 15ms

Do i need to add a route on the Sophos on site A? The important thing is that this route is only valid for the specific host, so no other host in site A would take that way.

I tried painting the situation to make it a little more clear. Feel free to ask if i failed to give sufficient information.

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hello Tobias,

    two things: IP is never "OneWay". Of course you have to have a route back to that host 192.168.1.3 from your other net.

    What your diagram doesn't show is the gateway ip on each of the sites. I understand you have a tranfernet 192.168.2.0/24 between the Sophos XG and the Fritzbox1.

    Could you add those IPs to the diagram? On Fritzbox2 as well?

  • 0 in reply to jprusch

    Hallo Philipp, thanks for your reply and for your advice. I added the Gateway IPs in the picture.

    Yes, that's a transfer-net between the Sophos and FritzBox1 on Site A.

    Basically, the 192.168.1.0 Network ist the local LAN for the Sophos, with 192.168.1.254 as the Gateway(and Sophos-Interface-)-IP. The the Sophos WAN Interface-IP is 192.168.2.1 and the FritzBox 1 has 192.168.2.254 as it's Interface IP.

    Then on Site B we only have FritzBox2 and 192.168.137.254 as the Gateway for the local LAN.

  • 0 in reply to 148Points

    Hello,

    so the tunnel is defined on both FritzBoxes? And not like in your diagram?

    Otherwise, host 192.168.137.220 would not "see" 192.168.2.254.

  • 0 in reply to jprusch

    No, the tunnel is only between Sophos and FritzBox2. I'm pretty sure Site B doesn't know about 192.168.2.0/24 but i can't check right now, since i only have acces to hosts on Site A plus the FritzBox on SiteB.

    Will adding the route to 192.168.2.0 to the FritzBox2 help?

  • 0 in reply to 148Points

    No, that won't help. Please show us the screenshot of the edit of the tunnel-definition on the XG.

    And a screenshot of the IPsec-SA when the tunnel is up.

Reply Children