Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 19080 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

access through 2 vpn(hops) problems

Mast_01

hello,

i'm having an issue routing traffic through 2 vpn links and i can't find a solution, here's the setup

lan A 10.10.20.x/24 ---vpn1--- lan B 10.10.10.x/24---vpn2--- lan C 192.168.3.x/24

vpn1 is a sophos xg 16.5 mr3

vpn2 is a utm 9.411

i need the computers on lan A to access lan C.

A to B works perfect, B to C also works perfect

 

steps i did to try and solve this problem:

added a policy route on XG for 192.168.3.x/24 gateway 10.10.10.15 which is the utm ip

on the utm i added  snat for traffic from lan A to lan C snat oriign ip as internal lan ip 10.10.10.15

it doesn't works, on a A station the traffic does not even reach the UTM, the XG responds with destination unreachable

i added a manual route on a PC to go through utm, same error but now takes much more time for the tracert to show the failure

i disabled the SNAT rule, no change

added a ipsec route on XG: system ipsec_route add net 192.168.3.0/24 tunnelname vpn1

no change, even pinging from the XG console fails

added a 1:1 snat rule, same

i can't find how to add a static route as it forces the gateway to be in the same network as one of the interfaces(which it cannot be) and indeed the route table shows no path to C network

 

i'm not seeing any hits on the fw logs even.

 

any ideas?

 



This thread was automatically locked due to age.
Parents
  • 0

    HI Mast_01, 

    I believe that the issue is with the VPN policy . 

    Suggestion: Site A to C

    Site A to B

    Local Network <LAN network >

    Remote Network <LAN Network of C and LAN network of B>

    Site B to C 

    Local Network <LAN network of A and B >

    Remote Network <Remote Network of C>

     

    Rules Needed at site A and C

    LAN-VPN and VPN-LAN

    Rules Needed at site B

    LAN-VPN , VPN-LAN and VPN-VPN

  • 0 in reply to Aditya Patel

    the rules at site C cannot be modified in any way of shape and cannot be redefined for anything but site B lan, that's why i used a SNAT and since i'm not doing strict routing on the tunnel, the SNAT should work, a masquerade rule should work as well (or better put, why isn't it working?).

    i'll test by expanding the tunnel definitions on the A to B VPN to include the C network, but i still need to snat this

  • 0 in reply to Mast_01

    Hi Mast_01, 

    As you are facing issue with communicating Site A and C , you may need to take a TCP dump on all three sites. You may conduct a Ping test from the system in a LAN and not from the device.  Monitor the ping traffic from all 3 locations A,B and C.

    This should give us an idea on why the traffic was not routed and not working as you would expect it should. 

Reply
  • 0 in reply to Mast_01

    Hi Mast_01, 

    As you are facing issue with communicating Site A and C , you may need to take a TCP dump on all three sites. You may conduct a Ping test from the system in a LAN and not from the device.  Monitor the ping traffic from all 3 locations A,B and C.

    This should give us an idea on why the traffic was not routed and not working as you would expect it should. 

Children
No Data