Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 155779 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG local to iView server reports fine, but remote XG cant connect via its VPN

RichardPhillips

Hi,

I have two sites, linked together by a site to site vpn.

Data already goes between sites fine.

Iview is installed at site a where a firewall is, which works fine. Firewall at site B wont connect to Iview. WHen I do a ping in the console at Site B, pings dont get through. Do a tracert, it goes out via the internet. 

Iview at site A can ping the firewall at site B.

 

I am sure this is a routing thing, but I am a little confused as to where it may be.

Does anyone have any ideas?

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Richard,

     

    By default XG initiated traffic is forwarded on WAN interface. So you need to force the XG initiated traffic through the VPN.

     

    sys ipsec add <ipof iView> tunnel <nameof the ipsec vpntunnel>

     

    Disconnect and reconnect the tunnel and it should do the trick.

     

    HTH,

    Ravi

     

  • 0 in reply to Ravindra Krishna

    Thanks for that. It came up saying unknown parameter then the IP.

    Did a sys ipsec add ? and it came up with net or host as the two options.

    What should I use?

  • 0 in reply to RichardPhillips

    console> system ipsec_route add host 192.168.1.20 tunnelname vpntoHO

     

    If you just want to access the iview server on the other side of the tunnel use Host otherwise use network.

     

    The host IP 192.168.1.20 is the destination IP (iview) you want to reach from Remote XG through VPN tunnel

    The same thing applies when you have AD server at HO and you want to integrate AD with BO firewall.

     

    HTH,

    Ravi

  • 0 in reply to Ravindra Krishna

    Cool. Its accepted the command. I cant drop the VPN till out of hours so will let you know how I get on. :-)

     

    THanks again for the prompt responses.

  • 0 in reply to Ravindra Krishna

    Hi Ravi,

    Nope, doesnt work. I do a sys ipsec show and it lists them. I have even done a reboot of the remote firewall.

    tunnelname                       HOST                 NETMASK

    LON_NCH_VPN                172.16.0.235     255.255.255.255       (this is for iview)
    LON_NCH_VPN                172.16.0.236     255.255.255.255       (this is for FM )

    My level of routing lets me down at this point, but as they are /24 networks, shouldnt the mask be 255.255.255.0? If so I am not sure how to enter it in

    Rich.

Reply
  • 0 in reply to Ravindra Krishna

    Hi Ravi,

    Nope, doesnt work. I do a sys ipsec show and it lists them. I have even done a reboot of the remote firewall.

    tunnelname                       HOST                 NETMASK

    LON_NCH_VPN                172.16.0.235     255.255.255.255       (this is for iview)
    LON_NCH_VPN                172.16.0.236     255.255.255.255       (this is for FM )

    My level of routing lets me down at this point, but as they are /24 networks, shouldnt the mask be 255.255.255.0? If so I am not sure how to enter it in

    Rich.

Children
No Data