Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 3258 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site2Site IPSec With Dual WAN Connections.

support@computer-ss.com
Hi,
I'm having an issue with creating an IPSec tunnel from my DMZ to a remote site.  I have no problem creating a tunnel from my LAN to the same remote site.

My Astaro 7 config is as follows:

WAN0 = ISP#1(default gateway)
WAN1 = ISP#2

LAN = Setup to Masquerade via WAN0
DMZ = Setup to Masquerade via WAN1 + Policy Route to use WAN1's ISP gateway.

If I try to ping my remote site from a host machine on the DMZ I get
"From 67.50.8.x icmp_seq=3 Destination Host Unreachable"
which is just one hop up from our ISP on WAN1.  To me, it seems like my policy route is *messing with packets that should be using the IPSec transform.  

Any input would be appriciated.

Thanks,
Sean


This thread was automatically locked due to age.
Parents
  • 0
    "that can cause mysterious issues including strange routing problems."
    Thanks, I'll keep that in mind.

    "if you don't want to activate Uplink balancing"
    I'm concerned about polluting WAN1 with garbage traffic and don't want to jeopardize QOS. Maybe reading up on how the balancing works would alleviate my concerns. 

    I think it's a routing issue because the same IPSec config works from the same remote site connected to our man LAN.

    RemoteSite         MainOffice
    LAN           ==    LAN(WAN0 *out)
    LAN           ==    DMZ(WAN1 *out)

    Thanks,
    Sean
Reply
  • 0
    "that can cause mysterious issues including strange routing problems."
    Thanks, I'll keep that in mind.

    "if you don't want to activate Uplink balancing"
    I'm concerned about polluting WAN1 with garbage traffic and don't want to jeopardize QOS. Maybe reading up on how the balancing works would alleviate my concerns. 

    I think it's a routing issue because the same IPSec config works from the same remote site connected to our man LAN.

    RemoteSite         MainOffice
    LAN           ==    LAN(WAN0 *out)
    LAN           ==    DMZ(WAN1 *out)

    Thanks,
    Sean
Children
No Data