XG local to iView server reports fine, but remote XG cant connect via its VPN

Hi Richard,

By default XG initiated traffic is forwarded on WAN interface. So you need to force the XG initiated traffic through the VPN.

sys ipsec add <ipof iView> tunnel <nameof the ipsec vpntunnel>

Disconnect and reconnect the tunnel and it should do the trick.

HTH,

Ravi

Hi Richard,

By default XG initiated traffic is forwarded on WAN interface. So you need to force the XG initiated traffic through the VPN.

sys ipsec add <ipof iView> tunnel <nameof the ipsec vpntunnel>

Disconnect and reconnect the tunnel and it should do the trick.

HTH,

Ravi

Thanks for that. It came up saying unknown parameter then the IP.

Did a sys ipsec add ? and it came up with net or host as the two options.

What should I use?

console> system ipsec_route add host 192.168.1.20 tunnelname vpntoHO

If you just want to access the iview server on the other side of the tunnel use Host otherwise use network.

The host IP 192.168.1.20 is the destination IP (iview) you want to reach from Remote XG through VPN tunnel

The same thing applies when you have AD server at HO and you want to integrate AD with BO firewall.

HTH,

Ravi

Cool. Its accepted the command. I cant drop the VPN till out of hours so will let you know how I get on. :-)

THanks again for the prompt responses.

Hi Ravi,

Nope, doesnt work. I do a sys ipsec show and it lists them. I have even done a reboot of the remote firewall.

tunnelname                       HOST                 NETMASK

LON_NCH_VPN                172.16.0.235     255.255.255.255       (this is for iview)
LON_NCH_VPN                172.16.0.236     255.255.255.255       (this is for FM )

My level of routing lets me down at this point, but as they are /24 networks, shouldnt the mask be 255.255.255.0? If so I am not sure how to enter it in

Rich.

Hi, thought I would do a tracert with those routes in place, it just times out with no hops reported.

GOT IT!

Had to also run this command to get traffic to pass.

Found it here. https://community.sophos.com/kb/en-us/123334

.

Your help with the first command was very much appreciated and I woulndt have been on the right track if I hadn't had it. I did a search in the group for the command you gave and led me there.

THanks again Ravi!

Rich.

Hi Rich,

There are two way to do this.

1> Either you SNAT the source traffic with LAN IP address of the Remote XG 

2> Or, you can use the WAN IP address with-in the IPSec Local and remote LANs

I am glad it helped.

Regards,

Ravi