Site to Site VPN between 3 firewall

Hello ywillie,

Thank you for contacting the Sophos Community.

So basically at the moment, every Firewall has two IPsec connections to each Firewall

Firewall A has 1 IPsec to each Router B and Router C (in total two IPsec tunnels)

Firewall B has 1 IPsec to each Router A and Router C (in total two IPsec tunnels)

Firewall C has 1 IPsec to each Router A and Router B (in total two IPsec tunnels).

When you are trying to Ping from Firewall A to Firewall C this Ping is not working and vice-versa, correct?

You shouldn't have any issue, do you have the correct Firewall rules for the different Subnets?

What did you configure for Remote Gateway in the IPsec tunnel in the branches as Remote Networks?

Regards,

Hi.. there's only 1 ipsec tunnel from A to B .
Same goes for B to C , only 1 ipsec.

Can we do two split ipsec tunnel under 1 connection ?

Hi,

I'm a visual-tactile learner, so I would need to see a diagram with IPs noted to understand your first post.  I'll guess at what problems you could have.  If you've already followed Hub and Spoke Site-to-Site VPNs, then you probably need to study #2 in Rulz (last updated 2019-04-17).

Cheers - Bob

I will provide the network plan later.

Thx for the rulez link. Its a very good link that i didnt know where to look.

I saw the hub and spoke method link that you referred few days earlier which i tried . It doesnt seems to worked.

I guess i might need to read in details what i left out.

I remember seeing a wan to vpn allow any and vpn to wan firewall rule in the headoffice main fw. Which is why i skipped the firewall rule part. Because i assume that all internetivity to vpn including sslvpn , ipsecs are automatically configured to allow traffics coming in from vpn with that rule.

This is the current setup.
I'm trying to get traffic from A network to C network through B

Nice diagram - thanks!

All traffic other than pings work - correct?  Do you see any pings between A and C blocked in any of the three firewall logs?

If no traffic is passing, please show us pictures of the 'Preshared Key Settings' on the 'Advanced' tab and the Edits of the IPsec Connection and Remote Gateway for sites A & B.  Also confirm which of the UTMs is behind a NATting router and what public IP is on the router.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

Cheers - Bob

Hello ywillie,

Thank you for the Follow-up.

If you do an IP route get from the UTM SG 125 with subnet 192.198.10.0/24 what is the output of this command

# ip route get 192.168.30.X (x is the IP host of a computer behind  the UTM with subnet 192.168.30.0/24)

regards,

i notice something weird though.
There's successful ping to reach 192.168.10.1 from firewall C.
But trying to ping 192.168.30.1 from firewall A resulted in no respond.

Perhaps i really need to use wireshark to monitor where the packets ended and post a result here.

Is ok.. I found the easy way out.
Instead of figuring out the policy or routing issues, i just did another ipsec between FW A and FW C.
This allows an alternate route instead relying on FW B to route traffics between FW A and FW C.
It's much more easier.

Is ok.. I found the easy way out.
Instead of figuring out the policy or routing issues, i just did another ipsec between FW A and FW C.
This allows an alternate route instead relying on FW B to route traffics between FW A and FW C.
It's much more easier.