access through 2 vpn(hops) problems

Question

hello, 
 i'm having an issue routing traffic through 2 vpn links and i can't find a solution, here's the setup 
 lan A 10.10.20.x/24 ---vpn1--- lan B 10.10.10.x/24---vpn2--- lan C 192.168.3.x/24 
 vpn1 is a sophos xg 16.5 mr3 
 vpn2 is a utm 9.411 
 i need the computers on lan A to access lan C. 
 A to B works perfect, B to C also works perfect 
 
 steps i did to try and solve this problem: 
 added a policy route on XG for 192.168.3.x/24 gateway 10.10.10.15 which is the utm ip 
 on the utm i added snat for traffic from lan A to lan C snat oriign ip as internal lan ip 10.10.10.15 
 it doesn't works, on a A station the traffic does not even reach the UTM, the XG responds with destination unreachable 
 i added a manual route on a PC to go through utm, same error but now takes much more time for the tracert to show the failure 
 i disabled the SNAT rule, no change 
 added a ipsec route on XG: system ipsec_route add net 192.168.3.0/24 tunnelname vpn1 
 no change, even pinging from the XG console fails 
 added a 1:1 snat rule, same 
 i can't find how to add a static route as it forces the gateway to be in the same network as one of the interfaces(which it cannot be) and indeed the route table shows no path to C network 
 
 i'm not seeing any hits on the fw logs even. 
 
 any ideas?

Aditya Patel · Answer

HI Mast_01, I believe that the issue is with the VPN policy . Suggestion: Site A to C Site A to B Local Network Remote Network Site B to C Local Network Remote Network Rules Needed at site A and C LAN-VPN and VPN-LAN Rules Needed at site B LAN-VPN , VPN-LAN and VPN-VPN

Aditya Patel · Answer

Hi Mast_01, 
 As you are facing issue with communicating Site A and C , you may need to take a TCP dump on all three sites. You may conduct a Ping test from the system in a LAN and not from the device. Monitor the ping traffic from all 3 locations A,B and C. 
 This should give us an idea on why the traffic was not routed and not working as you would expect it should.