Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 5523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network Extension via two UTMs

goosen8r
Just to start, I am a complete n00b on VPNs and am trying my best to learn, however I have been put in a position to solve a problem quickly, so here goes.

I am needing to connect two geographically separate LANs via bridge and maintain the same IP space on each. I setup two software UTM 9s on a ESXi host to work with for proof of concept. What I HAVE been able to accomplish is build RED tunnel or an IPSec tunnel between the two and allow different networks to communicate, but I need a single network to span them both. 

Is this even possible with UTM 9s in a software only configuration?

I have tried bridging the redsX and eth1 interface on one and trying to get the other to manage the network via this post: https://community.sophos.com/products/unified-threat-management/astaroorg/f/62/t/57348
with no luck.

Any suggestions?


This thread was automatically locked due to age.
Parents
  • 0
    Are these two separately managed network?
    Or shall it be centrally managed (DHCP, etc. only on one site)?

    I'm just asking because if these are separately managed networks you will soon run into IP address conflicts. In that case a 1:1 NAT with transfer networks would be the way.

    What did not work with the solution in the thread you mentioned?

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Reply
  • 0
    Are these two separately managed network?
    Or shall it be centrally managed (DHCP, etc. only on one site)?

    I'm just asking because if these are separately managed networks you will soon run into IP address conflicts. In that case a 1:1 NAT with transfer networks would be the way.

    What did not work with the solution in the thread you mentioned?

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Children
  • 0 in reply to scorpionking
    I will be managing the extended network from one UTM only; for simplicity let's call it UTM A, with the remote as UTM B.

    Before trying to span the same network, I attempted using two different networks with UTM A managing the network on UTM B with the following configurations:

    UTM A eth1: 192.168.0.1/24 with DHCP, NAT for local clients
              reds1 (to UTM B): 192.168.10.1/24 with DHCP server
              FW rule allow 192.168.0.0/24 to 192.168.10.0/24
              
    UTM B br0 (bridging eth1 and redc1): 192.168.10.2/24
              static route 192.168.0.0/24 via 192.168.10.1
              FW rule allow 192.168.10.0/24 to 192.168.0.0/24

    I can ping from a client on UTM A (192.168.0.100) to br0 on UTM B (192.168.10.2) but not to a statically configured client (192.168.10.5) on UTM B. The UTM A reds1 (192.168.10.1) has the same pinging results.
  • 0 in reply to goosen8r
    Update:

    I have bridged the internal interface on both UTMs (eth1 and redxX) and configured as follows:

    UTM A: br0 192.168.0.1/24 with DHCP and masquerade  br0 network to eth0

    UTM B: bro 192.168.0.2/24 
                DHCP relay from br0 network to 192.168.0.1

    DHCP works well so I know the L2 tunnel is up but still unable to ping from the client on UTM B to the gateway (192.168.0.1) on UTM A. Am I missing a firewall rule somewhere? I have checked the logs with no luck.
Unfiltered HTML