VPN Routing to other subnets

I have the following setup:

  • Three buildings connected by fiber optic to a layer 2 switch
  • Each office has a XTM33 firewall - fiber interconnects are on Trusted Interface 2
  • Each office has it's own subnet on Trusted Interface 1
  • Routing is working between all buildings
  • Each office has dedicated Internet connections on External Interface 3
  • VPN users can connect to their own firewall (using that building's public ip address) and are able access the local subnet at that building but they can't ping/connect to resources in the other buildings. DNS is working because pings to other buildings return correct addresses.

Routes are clearly established between the buildings as internal users can connect to all other resources.

What am I missing?


  • Options

    Simple Diagram

  • Options

    What type of mobile VPN is this?
    IPSec, SSLVPN, L2TP or IKEv2?

    Your VPN users are getting an IP addr from a different subnet than the Trusted subnet.
    1) check that the resources listed in the moble VPN setup include the other trusted subnets
    2) make sure that the mobile user subnets at each site addr different than is used any other site
    3) add Network-> Routes at each site for the subnet that the mobile users get at the other 2 sites

  • Options

    I have L2TP and IKEv2 enabled. Issue occurs over both. Default addresses are being used L2TP clients receive 192.168.115.x address and IKEv2 clients get 192.168.114.x addresses.

  • Options

    I would expect spoofing source deny log messages on firewall 2 when a VPN user from firewall 1 tries to access the firewall 2 trusted subnet.
    Adding the appropriate Network -> Routes on firewall2 would resolve this and allow the desired access.
    Do the same for VPN access desired from any firewall to the trusted sbnet of any other firewall.
    And as stated earlier, the VPN subnets must be different on each firewall for the desired access to work.

  • Options

    @Bruce_Briggs Thanks that worked! Default VPN subnets were the same on each firewall.

Sign In to comment.