Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 1863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site2Site VPN between 10.x networks

IngoPohlschneider
Hello everyone
I want to extend one of our branch networks.

We got 10.0.x.x/16 subnets (/24 networks in the 10.0.x.x range) on the main site and a branches with two 10.y.x.x/24 networks (see schema attached)

I want to be able to VPN to the branches (at best with /16 tunnels) and reach all of the remote networks.
Currently only the networks are reachable where the ASG has its Internal interface in (e.g. 10.1.2.x/24)

Is this possible (I guess it is [;)])? I am currently not seeing clear after a long work day.

The switches in the branches are L3 and do inter-VLAN routing on-site.

Any help would be nice, since I need to ship an ASG to a branch next week and we need to switch from MPLS to VPN on that site asap.

Thanks in advance everyone [:)]

Best regards
chas0rde


This thread was automatically locked due to age.
  • 0
    Gert answered this question several years ago, and to be sure I understood, I posted in https://community.sophos.com/products/unified-threat-management/astaroorg/f/68/t/58783

    Does that solve your problem?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hello
    I thought of that as well.

    The problem with that setup is that every time someone (another net-admin) adds a new local /24-LAN in a branch, I'd have to alter the tunnel as well (not the biggest problem, but it has to be done which might cause problems due to people forgetting to do so)

    So my basic problem is more the question of routing the /16-supernets of my /24 branch-LANs between the branch and headquarters.

    Is that possible or do I really need to set each an every /24-LAN?
    This is also quite anoying on the headquarter site due to the number of subnets

    Thanks for the quick reply [:)]

    Cheers Ingo
  • 0
    Just put the /16 instead of the /24s subnets in to start with and the new /24s will be there when added.

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hello
    I tried that, but it didn't work. I will check again tomorrow and let you know [:)]

    Best regards
    Ingo
  • 0
    You have to put /16 at both sides of tunnel! Not /24 on one side and /16 on the other.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Yes...

    Site A: 10.1.0.0/16

    1 Remote Gateway

    Remote Gateway: [Public IP Site B]
    Remote Networks: 10.0.0.0/16 and 10.2.0.0/16
    Local Networks: 10.1.0.0/16


    Site B: 10.0.0.0/16

    2 Remote Gateways and 2 IPSec connections

    Remote Gateway: [Public IP Site A]
    Remote Networks: 10.1.0.0/16
    Local Networks: 10.0.0.0/16 and 10.2.0.0/16

    Remote Gateway: [Public IP Site C]
    Remote Networks: 10.2.0.0/16
    Local Networks: 10.0.0.0/16 and 10.1.0.0/16


    Site C: 10.2.0.0/16

    1 Remote Gateway

    Remote Gateway: [Public IP Site B]
    Remote Networks: 10.0.0.0/16 and 10.1.0.0/16
    Local Networks: 10.2.0.0/16


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi chas0rde,

    do you put the aprobiate static routes to your L3-Switch in your 3 Offices? 
    Otherwise is there a dynamic routing Protocol between your ASG and the coresponding L3-Switch?

    Firebear
  • 0
    Hello
    yes that was the problem. The static route was misconfigured.

    For now I'll use a static route but on the long run I'd like to switch that to dynamic routing.

    Everything works as expected now [[:)]] 

    Thanks for the help guys and have a nice week [[:)]]
Cookie Information Banner