Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1607 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN between 3 firewall

ywillie

Hi guys I'm trying to do Site to Site between  3 firewall in 3 different remote location.

(Branch)Firewall A Internal subnet 192.168.10.0/24 WAN IP 10.68.20.10/32
(Main HQ)Firewall B Internal subnet 192.168.20.0/24 WAN IP 172.100.200.20/32
(Branch)Firewall C Internal subnet 192.168.30.0/24 WAN IP 206.230.20.16/32

Firewall A added network
192.168.20.0/24
192.168.30.0/24
Host
172.100.200.20/32
206.230.20.16/32

Firewall B added network
192.168.10.0/24
192.168.30.0/24
Host
10.68.20.10/32
206.230.20.16/32

Firewall C added network
192.168.10.0/24
192.168.20.0/24
Host
10.68.20.10/32
172.100.200.20/32

Created IPSEC.
VPN -> IPSEC -> I added the remote subnets like the sequence above..

I can ping the branches from the HQ.
But the branches just can't ping each other with the internal subnets.
Anything i missing ?



This thread was automatically locked due to age.
Parents
  • 0

    Hello ywillie,

    Thank you for contacting the Sophos Community.

    So basically at the moment, every Firewall has two IPsec connections to each Firewall

    Firewall A has 1 IPsec to each Router B and Router C (in total two IPsec tunnels)

    Firewall B has 1 IPsec to each Router A and Router C (in total two IPsec tunnels)

    Firewall C has 1 IPsec to each Router A and Router B (in total two IPsec tunnels).

    When you are trying to Ping from Firewall A to Firewall C this Ping is not working and vice-versa, correct?

    You shouldn't have any issue, do you have the correct Firewall rules for the different Subnets?

    What did you configure for Remote Gateway in the IPsec tunnel in the branches as Remote Networks?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi.. there's only 1 ipsec tunnel from A to B .
    Same goes for B to C , only 1 ipsec.

    Can we do two split ipsec tunnel under 1 connection ?

  • 0 in reply to ywillie

    Hi,

    I'm a visual-tactile learner, so I would need to see a diagram with IPs noted to understand your first post.  I'll guess at what problems you could have.  If you've already followed Hub and Spoke Site-to-Site VPNs, then you probably need to study #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I will provide the network plan later.

    Thx for the rulez link. Its a very good link that i didnt know where to look.

    I saw the hub and spoke method link that you referred few days earlier which i tried . It doesnt seems to worked.

    I guess i might need to read in details what i left out.

    I remember seeing a wan to vpn allow any and vpn to wan firewall rule in the headoffice main fw. Which is why i skipped the firewall rule part. Because i assume that all internetivity to vpn including sslvpn , ipsecs are automatically configured to allow traffics coming in from vpn with that rule.

Reply
  • 0 in reply to BAlfson

    I will provide the network plan later.

    Thx for the rulez link. Its a very good link that i didnt know where to look.

    I saw the hub and spoke method link that you referred few days earlier which i tried . It doesnt seems to worked.

    I guess i might need to read in details what i left out.

    I remember seeing a wan to vpn allow any and vpn to wan firewall rule in the headoffice main fw. Which is why i skipped the firewall rule part. Because i assume that all internetivity to vpn including sslvpn , ipsecs are automatically configured to allow traffics coming in from vpn with that rule.

Children
No Data
Unfiltered HTML