Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN between 3 firewall

ywillie

Hi guys I'm trying to do Site to Site between  3 firewall in 3 different remote location.

(Branch)Firewall A Internal subnet 192.168.10.0/24 WAN IP 10.68.20.10/32
(Main HQ)Firewall B Internal subnet 192.168.20.0/24 WAN IP 172.100.200.20/32
(Branch)Firewall C Internal subnet 192.168.30.0/24 WAN IP 206.230.20.16/32

Firewall A added network
192.168.20.0/24
192.168.30.0/24
Host
172.100.200.20/32
206.230.20.16/32

Firewall B added network
192.168.10.0/24
192.168.30.0/24
Host
10.68.20.10/32
206.230.20.16/32

Firewall C added network
192.168.10.0/24
192.168.20.0/24
Host
10.68.20.10/32
172.100.200.20/32

Created IPSEC.
VPN -> IPSEC -> I added the remote subnets like the sequence above..

I can ping the branches from the HQ.
But the branches just can't ping each other with the internal subnets.
Anything i missing ?



This thread was automatically locked due to age.
  • 0

    Hello ywillie,

    Thank you for contacting the Sophos Community.

    So basically at the moment, every Firewall has two IPsec connections to each Firewall

    Firewall A has 1 IPsec to each Router B and Router C (in total two IPsec tunnels)

    Firewall B has 1 IPsec to each Router A and Router C (in total two IPsec tunnels)

    Firewall C has 1 IPsec to each Router A and Router B (in total two IPsec tunnels).

    When you are trying to Ping from Firewall A to Firewall C this Ping is not working and vice-versa, correct?

    You shouldn't have any issue, do you have the correct Firewall rules for the different Subnets?

    What did you configure for Remote Gateway in the IPsec tunnel in the branches as Remote Networks?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi.. there's only 1 ipsec tunnel from A to B .
    Same goes for B to C , only 1 ipsec.

    Can we do two split ipsec tunnel under 1 connection ?

  • 0 in reply to ywillie

    Hi,

    I'm a visual-tactile learner, so I would need to see a diagram with IPs noted to understand your first post.  I'll guess at what problems you could have.  If you've already followed Hub and Spoke Site-to-Site VPNs, then you probably need to study #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I will provide the network plan later.

    Thx for the rulez link. Its a very good link that i didnt know where to look.

    I saw the hub and spoke method link that you referred few days earlier which i tried . It doesnt seems to worked.

    I guess i might need to read in details what i left out.

    I remember seeing a wan to vpn allow any and vpn to wan firewall rule in the headoffice main fw. Which is why i skipped the firewall rule part. Because i assume that all internetivity to vpn including sslvpn , ipsecs are automatically configured to allow traffics coming in from vpn with that rule.

  • 0 in reply to BAlfson


    T    his is the current setup.
    I'm trying to get traffic from A network to C network through B

  • 0 in reply to ywillie

    Nice diagram - thanks!

    All traffic other than pings work - correct?  Do you see any pings between A and C blocked in any of the three firewall logs?

    If no traffic is passing, please show us pictures of the 'Preshared Key Settings' on the 'Advanced' tab and the Edits of the IPsec Connection and Remote Gateway for sites A & B.  Also confirm which of the UTMs is behind a NATting router and what public IP is on the router.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to ywillie

    Hello ywillie,

    Thank you for the Follow-up.

    If you do an IP route get from the UTM SG 125 with subnet 192.198.10.0/24 what is the output of this command

    # ip route get 192.168.30.X (x is the IP host of a computer behind  the UTM with subnet 192.168.30.0/24)

    regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to BAlfson

    i notice something weird though.
    There's successful ping to reach 192.168.10.1 from firewall C.
    But trying to ping 192.168.30.1 from firewall A resulted in no respond.

    Perhaps i really need to use wireshark to monitor where the packets ended and post a result here.

  • 0 in reply to emmosophos

    Is ok.. I found the easy way out.
    Instead of figuring out the policy or routing issues, i just did another ipsec between FW A and FW C.
    This allows an alternate route instead relying on FW B to route traffics between FW A and FW C.
    It's much more easier.

Unfiltered HTML