CONNECTION HQ-BRANCH

Hi,

what firewall rules do you have in place to allow traffic between the sites?
ian

Hello Fadi_Hamamdeh,

Thank you for reaching out to the community, you may refer the KBA for the config check: https://support.sophos.com/support/s/article/KB-000036746?language=en_US
Please also ensure that MIKROTIK has a allowed rule for the IPsec traffic coming from the HQ to be forwarded to the respective LAN servers !!

in HQ Firewall  -- LAN (192.168.1.0/24) to VPN (20.20.20.0/24) Accept && VPN (20.20.20.0/24) to LAN (192.168.1.0/24) Accept

in Branch Firewall -- LAN (20.20.20.0/24) to VPN (192.168.1.0/24) Accept && VPN (192.168.1.0/24) to LAN (20.20.20.0/24) Accept

in Branch firewall I have static route to reach 192.168.2.0/24 network.

Hello Fadi_Hamamdeh,

Can you perform the packet capture: https://support.sophos.com/support/s/article/KB-000035761?language=en_US
When accessing accessing from server in Brach site to HQ site.

Fadi_Hamamdeh said:

PROBLEM: server (192.168.1.200) can reach to server (192.168.2.200),,,, but server(192.168.2.200) CAN'T reach to server (192.168.1.200)

1. Please share packet flow from 192.168.1.200 to 192.168.2.200 under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on configure Enter BPF string host 192.168.2.200 and proto ICMP

Share the screenshot 

From SSH with option 4 check tcpdump 

console>tcpdump 'host 192.168.2.200 and proto ICMP

console>dr 'host 192.168.2.200 and proto ICMP

2. Please share packet flow from 192.168.2.200 to 192.168.1.200 under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on configure Enter BPF string host 192.168.1.200 and proto ICMP

From SSH with option 4 check tcpdump 

console>tcpdump 'host 192.168.1.200 and proto ICMP

console>dr 'host 192.168.1.200 and proto ICMP

Please check the packet flow from the Head office and Branch office 

Share the output with a screenshot

the issue is with routing your Microtik router 

Thanks and Regards