Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN route to another Firewall

Hi

i have this scenario and i cant find a way to make it work yet

i have 3 Sophos XG firewall .

1 fw in branch   IP 192.168.1.1

1 firewall in the head office   IP 10.10.10.1

1 firewall connected to the firewall in the head office   ip 172.16.50.1

Now there is a VPN between the branch office and the head office using IPsec and it works prefect .

now i want to route between the branch office and the 3rd firewall located in IP 172.16.50.1

 

i added the IPs of the 3rd network ( 172.16.50.x ) as local subnet in the vpn configuration in the head office firewall

i added the IPs of the 3rd network ( 172.16.50.x ) as remote network in the VPN configuration in the branch office

i added static route in the 3rd firewall to reach the branch office ( 192.168.1.x ) through the gw of the head office ip

 

i can ping , nmap ports from the branch office to the 3rd network without any issue

but  i cant ping of reach any ip from the 3rd network to the branch office

 

how can i do that ?



This thread was automatically locked due to age.
Parents
  • Hi MoMx,

    Make sure Ping is selected for the VPN zone inside the option; administration> Device access> VPN> Ping.

    Start a ping from a specific IP in 3rd branch towards a specific IP in branch office. Refer: https://community.sophos.com/kb/en-us/123189 and verify if the ICMP traffic is forwarded through the IPSec tunnel from 3rd office. Do the same capture on branch office to see if the traffic comes in for the  destined IP address. If you do not get the traffic coming in for the branch office then there is an incorrect routing configuration on the 3rd office or the Head office connecting both the ends.

    Thanks

Reply
  • Hi MoMx,

    Make sure Ping is selected for the VPN zone inside the option; administration> Device access> VPN> Ping.

    Start a ping from a specific IP in 3rd branch towards a specific IP in branch office. Refer: https://community.sophos.com/kb/en-us/123189 and verify if the ICMP traffic is forwarded through the IPSec tunnel from 3rd office. Do the same capture on branch office to see if the traffic comes in for the  destined IP address. If you do not get the traffic coming in for the branch office then there is an incorrect routing configuration on the 3rd office or the Head office connecting both the ends.

    Thanks

Children
  • Thanks for your reply

    i enabled the packet filter and i confirm that icmp packet left the 3rd office and destination was ip inside the branch office and it reached the HeadOffice Firewall ( VPN firewall) and the HeadOffice Firewall forward that icmp packet through the ipsec to the destination IP ( in branch office ) but i didnot got that packet in the branch office firewall .

    ping is allowed in vpn and in all interfaces ( just for testing ) in all the three firewalls

    there are rules in all the 3 firewall to allow any to any for any services ( just for testing )

     

  • Hi MoMx,

    Perfect, I think the issue is incorrect network definition defined in the local and remote network settings for IPSec tunnel between the HO and BO. Check the subnet mask on both the ends and the FW-rules to route the traffic.  If the ICMP packet didn't reach BO from HO, make sure there is no intermediate device on the BO end which drops it on the way.

    Thanks

  • Thanks sachingurung

    i checked there is nothing that can block the icmp , also checked the Subnets and local and remote sites in both HO and BO and all are correct

    what else can cause this issue ?

     

    i am thinking of connecting that 3rd branch to the HO through the VPN so it will be seen in the VPN route , not using normal static route .

    what do you think?

  • any update ?

    can any one reproduce this scenario and check ?

    sophos team ?

  • Hi MoMx,

    Are the FW-rules correctly defined? Post few screenshots of the defined FW-rules.

    Take SSH to XG and go to option 4. Device console; execute: tcpdump 'proto 50. Monitor these logs and check if the packet is sent out from the XG's end. Verify these dumps on both the ends, if the packet is forwarded from both the Site A/B but, the ping is seeing RTO then, I guess it is an ISP issue on either side.

    Thanks