Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 20020 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Branches office cannot communicate thought Ipsec of head office

Samps

 Hi,

We are 2 branches office and one Headquarter.

 

BO1-------Ipsec------HQ------Ipec-----BO2

 

Connexions between BOs and HQ are fine ( ping/share...ect) but I cannot ping any computer from BO1 to BO2 or BO2 to BO1. 

On Ipsec setup of HQ, Network from each BO are in local subnet. And each place have Firewall rules : VPN to Lan and Lan to VPN

Do I missing something?

 

thanks for your help,

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Samps,

    use a traceroute from each branch office to understand where the traffic goes. If it go through internet, you have to add a static route on each branch office that uses the IPSec as gateway or interface.

    Regards

  • 0 in reply to lferrara

    Hi Lferrara,

     

    I thought that add appropriate lan to Ipsec HQ and BOs on local network or Remote network would assign static route.

    I remove ''Rewrite source address (Masquerading)' on Firewall rule VPN to Lan in HQ and it's working. I can communicate between BOs

     

    But doing that I lost the possibility to route SSL Vpn traffic (internet) thought my HQ. Is there any option to fix that?

     

    Thanks, 

    Regards,

  • 0 in reply to Samps

    Samps,

    rewrite source address is not needed on those rules. For routing internet traffic from branch office to HQ, uhm....you can create a firewall rule VPN to WAN (MASQ on) and additionally, you need to  change the remote network on branch office to any and on HQ the local network to any.https://community.sophos.com/kb/en-us/115661It is for UTM9 but you can see the changes required or:https://kb.cyberoam.com/default.asp?id=2617

    Regards

  • 0 in reply to lferrara

    lferrara,

     

    Sorry I wasn't clear.

    Here is my setup :

     

    BO1-------Ipsec------HQ------Ipec-----BO2     and I had SSL VPN to HQ when we are on road.

    Since I remove ''rewrite source address'' on VPN to Lan on HQ firewall rules, booth BO can communicate between them (ping/share...)

     

    But since I made this modification, from my SSL VPN outside offices (BO and HQ), I can communicate with LANs but not acces to internet.

     

    Regards,

  • 0 in reply to Samps

    So if I understood correctly, ssl vpn for remote users, correct?

    If this is the case, create an above firewall rule where source is vpn but source network is the ip-range leased by the XG vpn ssl component. You can find the leased ip from vpn > show vpn settings>ssl

    Regards

Reply
  • 0 in reply to Samps

    So if I understood correctly, ssl vpn for remote users, correct?

    If this is the case, create an above firewall rule where source is vpn but source network is the ip-range leased by the XG vpn ssl component. You can find the leased ip from vpn > show vpn settings>ssl

    Regards

Children