[Problem] VPN IPSEC LAN2LAN with more then one network

[skizzo3000]

Hi,
i'm trying to create a IPSEC LAN2LAN between FriztBoz 6890 LTE 7.39-101643 BETA and Sophos XG FW v19.5.

Fritz network 192.168.30.0/24
Sophos networks 192.168.31.0/24, 192.168.32.0/24, 192.168.33.0/24, 192.168.34.0/24, 192.168.35.0/24


My Fritz config

vpncfg {
connections {
editable = yes;
enabled = yes;
use_ikev2 = no;
conn_type = conntype_lan;
name = "LAN_Ipsec";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "xyzde.avm.de";
keepalive_ip = 192.168.151.1;
localid {
fqdn = fritz.dyndns.org;
}
remoteid {
fqdn = xyzde.avm.de;
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "xxxxxxxxxxxxxxxxxxxxxxxxx";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
        ipaddr = 192.168.30.0;
        mask = 255.255.255.0;
        }
}
phase2remoteid {
ipnet {
        ipaddr = 192.168.31.0;
        mask = 255.255.255.0;
        }
ipnet {
        ipaddr = 192.168.32.0;
        mask = 255.255.255.0;
        }
ipnet {
        ipaddr = 192.168.33.0;
        mask = 255.255.255.0;
        }
ipnet {
        ipaddr = 192.168.34.0;
        mask = 255.255.255.0;
        }
ipnet {
        ipaddr = 192.168.35.0;
        mask = 255.255.255.0;
        }
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.31.0 255.255.255.0",
"permit ip any 192.168.32.0 255.255.255.0",
"permit ip any 192.168.33.0 255.255.255.0",
"permit ip any 192.168.34.0 255.255.255.0",
"permit ip any 192.168.35.0 255.255.255.0";

}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

The IPSEC configuration is works but in Fritzbox is not possible manage more one remote networks.
Sopohs shows that is only a match
192.168.30.0/24 <-> 192.168.35.0/24

Fritzbox accept only the last network 192.168.35.0/24

Is possible to specify more remote network in ipsec ?

Thanks

 

[PeterPawn]

Don't add more than one ipnet entry in the phase2remoteid section. But keep all networks in the accesslsit entry - they will select, which traffic is sent through the VPN tunnel.

 

[skizzo3000]

@PeterPawn thanks for your suggestion but accesslist section, i think, is about only firewall/routing in fritzbox and not about ipsec proto.
I tried your solution but no good news.

Fritz delcare only one net via ipsec


Sophos log

CHILD_SA Fritz-2{1121} established with SPIs ccb3xxx5_i 345yyy2e_o and TS 192.168.31.0/24 === 192.168.30.0/24
{"me":"mysophos.xyz.net",
"peer":"fritz.xyz.net",
"mynet":"192.168.31.0/24",
"peernet":"192.168.30.024",
.......}

Fritz, as shown, doesn't declare the remote networks in CHILD_SA so no connection is possible between other networks.

If fritz doesn't declare the remote networks in CHILD_SA, the Sophos cannot setup its routes correctly



Vollbild(er) gemäß Boardregeln als Vorschau eingebunden by stoney

 

[PeterPawn]

It's as I wrote above ... FRITZ!OS needs only one entry with the DIRECTLY connected network - and the remaining traffic to all other networks has to be selected for encryption (what means for the IPSec tunnel) using the aforementioned accesslist parameter.

Accessing multiple IP networks behind a FRITZ!Box over an IPSec VPN between two FRITZ!Box networks | FRITZ!Box 7590 AX

IPSec allows you to connect two FRITZ!Box networks at different locations over a secure, encrypted VPN connection (LAN-LAN linkup). If there is another network router in the network of one of the two FRITZ!Boxes that connects the IP network of this FRITZ!Box with a second IP network, you must...

en.avm.de

If this IS NOT the scenario you need (EDIT: beside the difference, that YOUR second device is a Sophos firewall and not a FRITZ!Box, too), you should explain your attempts/your needs better.

Another CHILD_SA would only be needed, if the Sophos would not route the (decrypted) ingres traffic from the IPSec tunnel to your FRITZ!Box to the other networks.

If you want a connection, which is really opaque to the Sophos Firewall itself (so there's no option to decrypt and route the traffic to the other networks), that's impossible with only ONE connection and you have to configure an own connection for each remote network.

Another option could be to use a network mask with less the 24 bits ... but your network segments are made for "human readability" more, than following the binary-based rules, how to split network segments.

If you want to collect more than one network behind your firewall to a single network segment, you need to change their numbers. If you start with 192.168.32.0 and use up to 192.168.36.0 (that are five possible /24 networks, too), you may address all of them at once using a single network segment address of 192.168.32.0/21 - the 3 additional bits from the network mask may form 2 ** 3 = 8 additional segments with 254 hosts each. But this is IMPOSSIBLE, if your segments can't be aggregated to a common one, which is unrelated to the segment used by your FRITZ!Box device.

It's unclear from your descriptions, whether the other networks behind your firewall are connected directly to the Sophos device or whether they are behind additional IPSec tunnels to more locations - there're more explanations needed.

 

[skizzo3000]

Hi,
i want to realize this scenario



Sophos is based on Strongwan
follow the connection log

2023-01-08 12:22:28Z 11[IKE] <Montagna-1|990> scheduling rekeying in 3061s
2023-01-08 12:22:28Z 11[IKE] <Montagna-1|990> maximum IKE_SA lifetime 3421s
2023-01-08 12:22:28Z 11[ENC] <Montagna-1|990> generating ID_PROT response 0 [ ID HASH ]
2023-01-08 12:22:28Z 11[NET] <Montagna-1|990> sending packet: from sopohos.xyz.net[500] to fritz.xyz.net[500] (140 bytes)
2023-01-08 12:22:28Z 31[NET] <Montagna-1|990> received packet: from fritz.xyz.net[500] to sopohos.xyz.net[500] (124 bytes)
2023-01-08 12:22:28Z 31[ENC] <Montagna-1|990> parsed INFORMATIONAL_V1 request 502584038 [ HASH N(INITIAL_CONTACT) ]
2023-01-08 12:22:28Z 19[NET] <Montagna-1|990> received packet: from fritz.xyz.net[500] to sopohos.xyz.net[500] (892 bytes)
2023-01-08 12:22:28Z 19[ENC] <Montagna-1|990> parsed QUICK_MODE request 1981572055 [ HASH SA No KE ID ID ]
2023-01-08 12:22:28Z 19[IKE] <Montagna-1|990> ### process_request invoking quick_mode_create
2023-01-08 12:22:28Z 19[IKE] <Montagna-1|990> ### quick_mode_create: 0x7f3898002ae0 config (nil)
2023-01-08 12:22:28Z 19[IKE] <Montagna-1|990> ### process_r: 0x7f3898002ae0 QM_INIT
2023-01-08 12:22:28Z 19[IKE] <Montagna-1|990> ### build_r: 0x7f3898002ae0 QM_INIT
2023-01-08 12:22:28Z 19[ENC] <Montagna-1|990> generating QUICK_MODE response 1981572055 [ HASH SA No KE ID ID ]
2023-01-08 12:22:28Z 19[NET] <Montagna-1|990> sending packet: from sopohos.xyz.net[500] to fritz.xyz.net[500] (492 bytes)
2023-01-08 12:22:28Z 24[NET] <Montagna-1|990> received packet: from fritz.xyz.net[500] to sopohos.xyz.net[500] (108 bytes)
2023-01-08 12:22:28Z 24[ENC] <Montagna-1|990> parsed QUICK_MODE request 1981572055 [ HASH ]
2023-01-08 12:22:28Z 24[IKE] <Montagna-1|990> ### process_r: 0x7f3898002ae0 QM_NEGOTIATED
2023-01-08 12:22:28Z 24[IKE] <Montagna-1|990> CHILD_SA Montagna-2{1182} established with SPIs c1350334_i d468f2bf_o and TS 192.168.31.0/24 === 192.1
68.30.0/24
2023-01-08 12:22:28Z 24[APP] <Montagna-1|990> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (192.168.31.0/24#192.168.30.0/24)
2023-01-08 12:22:28Z 24[APP] <Montagna-1|990> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (sopohos.xyz.net#fritz.xyz.net#n)
2023-01-08 12:22:28Z 24[APP] <Montagna-1|990> [COP-UPDOWN] (cop_updown_invoke_once) UID: 990 Net: Local sopohos.xyz.net Remote fritz.xyz.net Connect
ion: Montagna Fullname: Montagna-1
2023-01-08 12:22:28Z 24[APP] <Montagna-1|990> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2023-01-08 12:22:28Z 24[IKE] <Montagna-1|990> ### destroy: 0x7f3898002ae0
2023-01-08 12:22:28Z 10[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Montagna' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:
'0'
2023-01-08 12:22:28Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown ++ up ++
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"SOPHOS","remote_server":"FRITZ","action":"enable","family":"0","conntype":"ntn","compress":"0"}'': success 0
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid              || '/'                  ||
 nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel        JOIN tblhost AS h             ON h.hostid = rel.hostid          JOIN tblhost AS
nath             ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1      AND rel.hostlocation = 'L'      AND h.netid = $2        AND h.ne
tmask = $3 LIMIT  1;' status: 2 rows: 0
2023-01-08 12:22:29Z 10[APP] 
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'Montagna' using  interface 'ipsec0'
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.31.0 is IP: 192.168.53.65 
2023-01-08 12:22:29Z 10[APP] 
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 192.168.30.0/24 dev ipsec0 src 192.168.53.65 table 220': success 0
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN] (add_routes) no routes to add for Montagna on interface ipsec0
2023-01-08 12:22:29Z 10[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"sopohos.xyz.net","
peer":"fritz.xyz.net","mynet":"192.168.31.0/24","peernet":"192.168.30.0/24","connop":"1","iface":"Port2","myproto":"0","myport":"0","peerproto":"0"
,"peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"1"}'': success 0

In this situation only sophos network 192.168.31.0/24 is reachable from fritz network 192.168.30.0/24, i suppose because fritz doesn't 'declare' the remote networks it wants.

Later i will make a test with 2 sophos in the same scenario to compare the strongwan log.

Thanks
Sk3

-- Zusammenführung Doppelpost gemäß Boardregeln by stoney

i'm here with sophos LAN2LAN example

In this example sophos has 192.168.56.0/24 and other_sophos has 192.168.40.0/24 192.168.39.0/24 192.168.37.0/24

is shown there are 3 CHILD_SA for 3 networks

2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> CHILD_SA TESTCON-2{1186} established with SPIs c7b8957d_i c38ddeb9_o and TS 192.168.56.0/24 === 192.168.40.0/24
2023-01-08 13:03:08Z 16[IKE] <TESTCON-1|1004> CHILD_SA TESTCON-1{1187} established with SPIs c1137571_i c42994e0_o and TS 192.168.56.0/24 === 192.168.37.0/24
2023-01-08 13:03:08Z 22[IKE] <TESTCON-1|1004> CHILD_SA TESTCON-3{1188} established with SPIs ca8d59f8_i c69ac2d1_o and TS 192.168.56.0/24 === 192.168.39.0/24

2023-01-08 13:02:47Z 32[NET] <1003> sending packet: from sophos.xyz.net[4500] to other_sophos.xyz.net[4500] (96 bytes)
2023-01-08 13:03:08Z 29[NET] <1004> received packet: from other_sophos.xyz.net[500] to sophos.xyz.net[500] (1434 bytes)
2023-01-08 13:03:08Z 29[ENC] <1004> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2023-01-08 13:03:08Z 29[IKE] <1004> other_sophos.xyz.net is initiating an IKE_SA
2023-01-08 13:03:08Z 29[IKE] <1004> remote host is behind NAT
2023-01-08 13:03:08Z 29[ENC] <1004> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2023-01-08 13:03:08Z 29[NET] <1004> sending packet: from sophos.xyz.net[500] to other_sophos.xyz.net[500] (242 bytes)
2023-01-08 13:03:08Z 05[NET] <1004> received packet: from other_sophos.xyz.net[4500] to sophos.xyz.net[4500] (512 bytes)
2023-01-08 13:03:08Z 05[ENC] <1004> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2023-01-08 13:03:08Z 05[CFG] <1004> looking for peer configs matching sophos.xyz.net[[email protected]]...other_sophos.xyz.net[[email protected]]
2023-01-08 13:03:08Z 05[CFG] <TESTCON-1|1004> selected peer config 'TESTCON-1'
2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> authentication of '[email protected]' with pre-shared key successful
2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> authentication of '[email protected]' (myself) with pre-shared key
2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> IKE_SA TESTCON-1[1004] established between sophos.xyz.net[[email protected]]...other_sophos.xyz.net[[email protected]]
2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> scheduling rekeying in 5008s
2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> maximum IKE_SA lifetime 5368s
2023-01-08 13:03:08Z 05[IKE] <TESTCON-1|1004> CHILD_SA TESTCON-2{1186} established with SPIs c7b8957d_i c38ddeb9_o and TS 192.168.56.0/24 === 192.168.40.0/24
2023-01-08 13:03:08Z 05[APP] <TESTCON-1|1004> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (192.168.56.0/24#192.168.40.0/24)
2023-01-08 13:03:08Z 05[APP] <TESTCON-1|1004> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (sophos.xyz.net#other_sophos.xyz.net#n)
2023-01-08 13:03:08Z 05[APP] <TESTCON-1|1004> [COP-UPDOWN] (cop_updown_invoke_once) UID: 1004 Net: Local sophos.xyz.net Remote other_sophos.xyz.net Connection: TESTCON Fullname: TESTCON-1
2023-01-08 13:03:08Z 05[APP] <TESTCON-1|1004> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2023-01-08 13:03:08Z 05[ENC] <TESTCON-1|1004> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
2023-01-08 13:03:08Z 05[NET] <TESTCON-1|1004> sending packet: from sophos.xyz.net[4500] to other_sophos.xyz.net[4500] (288 bytes)
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'TESTCON' result --> id: '3', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown ++ up ++
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"sophos.xyz.net","remote_server":"other_sophos.xyz.net","action":"enable","family":"0","conntype":"ntn","compress":"0"}'': success 0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid              || '/'                  || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel        JOIN tblhost AS h             ON h.hostid = rel.hostid          JOIN tblhost AS nath             ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1      AND rel.hostlocation = 'L'      AND h.netid = $2        AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
2023-01-08 13:03:08Z 14[APP]  
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'TESTCON' using  interface 'ipsec0'
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.56.0 is IP: 192.168.55.1 
2023-01-08 13:03:08Z 14[APP] 
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 192.168.40.0/24 dev ipsec0 src 192.168.55.1 table 220': success 0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (add_routes) no routes to add for TESTCON on interface ipsec0
2023-01-08 13:03:08Z 16[NET] <TESTCON-1|1004> received packet: from other_sophos.xyz.net[4500] to sophos.xyz.net[4500] (1168 bytes)
2023-01-08 13:03:08Z 16[ENC] <TESTCON-1|1004> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
2023-01-08 13:03:08Z 16[IKE] <TESTCON-1|1004> CHILD_SA TESTCON-1{1187} established with SPIs c1137571_i c42994e0_o and TS 192.168.56.0/24 === 192.168.37.0/24
2023-01-08 13:03:08Z 16[APP] <TESTCON-1|1004> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (192.168.56.0/24#192.168.37.0/24)
2023-01-08 13:03:08Z 16[APP] <TESTCON-1|1004> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 1 to 2 ++ up ++ (sophos.xyz.net#other_sophos.xyz.net#n)
2023-01-08 13:03:08Z 16[APP] <TESTCON-1|1004> [COP-UPDOWN] (cop_updown_invoke_once) UID: 1004 Net: Local sophos.xyz.net Remote other_sophos.xyz.net Connection: TESTCON Fullname: TESTCON-1
2023-01-08 13:03:08Z 16[APP] <TESTCON-1|1004> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2023-01-08 13:03:08Z 16[ENC] <TESTCON-1|1004> generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
2023-01-08 13:03:08Z 16[NET] <TESTCON-1|1004> sending packet: from sophos.xyz.net[4500] to other_sophos.xyz.net[4500] (272 bytes)
2023-01-08 13:03:08Z 22[NET] <TESTCON-1|1004> received packet: from other_sophos.xyz.net[4500] to sophos.xyz.net[4500] (1168 bytes)
2023-01-08 13:03:08Z 22[ENC] <TESTCON-1|1004> parsed CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
2023-01-08 13:03:08Z 22[IKE] <TESTCON-1|1004> CHILD_SA TESTCON-3{1188} established with SPIs ca8d59f8_i c69ac2d1_o and TS 192.168.56.0/24 === 192.168.39.0/24
2023-01-08 13:03:08Z 22[APP] <TESTCON-1|1004> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (192.168.56.0/24#192.168.39.0/24)
2023-01-08 13:03:08Z 22[APP] <TESTCON-1|1004> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 2 to 3 ++ up ++ (sophos.xyz.net#other_sophos.xyz.net#n)
2023-01-08 13:03:08Z 22[APP] <TESTCON-1|1004> [COP-UPDOWN] (cop_updown_invoke_once) UID: 1004 Net: Local sophos.xyz.net Remote other_sophos.xyz.net Connection: TESTCON Fullname: TESTCON-1
2023-01-08 13:03:08Z 22[APP] <TESTCON-1|1004> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2023-01-08 13:03:08Z 22[ENC] <TESTCON-1|1004> generating CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
2023-01-08 13:03:08Z 22[NET] <TESTCON-1|1004> sending packet: from sophos.xyz.net[4500] to other_sophos.xyz.net[4500] (272 bytes)
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"sophos.xyz.net","peer":"other_sophos.xyz.net","mynet":"192.168.56.0/24","peernet":"192.168.40.0/24","connop":"1","iface":"Port2","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"3"}'': success 0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'TESTCON' result --> id: '3', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (sophos.xyz.net to other_sophos.xyz.net) already set up
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid              || '/'                  || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel        JOIN tblhost AS h             ON h.hostid = rel.hostid          JOIN tblhost AS nath             ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1      AND rel.hostlocation = 'L'      AND h.netid = $2        AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
2023-01-08 13:03:08Z 14[APP]  
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'TESTCON' using  interface 'ipsec0'
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.56.0 is IP: 192.168.55.1 
2023-01-08 13:03:08Z 14[APP] 
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 192.168.37.0/24 dev ipsec0 src 192.168.55.1 table 220': success 0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (add_routes) no routes to add for TESTCON on interface ipsec0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"sophos.xyz.net","peer":"other_sophos.xyz.net","mynet":"192.168.56.0/24","peernet":"192.168.37.0/24","connop":"1","iface":"Port2","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"3"}'': success 0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'TESTCON' result --> id: '3', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (sophos.xyz.net to other_sophos.xyz.net) already set up
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.netid              || '/'                  || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel        JOIN tblhost AS h             ON h.hostid = rel.hostid          JOIN tblhost AS nath             ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1      AND rel.hostlocation = 'L'      AND h.netid = $2        AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
2023-01-08 13:03:08Z 14[APP]  
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'TESTCON' using  interface 'ipsec0'
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.56.0 is IP: 192.168.55.1 
2023-01-08 13:03:08Z 14[APP] 
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 192.168.39.0/24 dev ipsec0 src 192.168.55.1 table 220': success 0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN] (add_routes) no routes to add for TESTCON on interface ipsec0
2023-01-08 13:03:08Z 14[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"sophos.xyz.net","peer":"other_sophos.xyz.net","mynet":"192.168.56.0/24","peernet":"192.168.39.0/24","connop":"1","iface":"Port2","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntype":"ntn","actnet":"","compress":"0","conn_id":"3"}'': success 0

Fritz sends only one CHILD_SA to sophos.

i'm not IPSEC expert ;(

Thanks
Sk3

 

[PeterPawn]

OK, your subnets are local as a whole, as far as I understand.

What's the PRIMARY network on your Sophos site? Your tunnel needs ONE common (remote) network segment as its target, if you want to connect your FRITZ!Box (which is one single end-point) with the firewall using IPSec VPN. If there are five (virtual) interfaces (at the Sophos site) with five different network segments (as your picture shows us) and those networks have nothing in common with their segment addresses, you can't address them as a single network segment.

There's no "piggyback network" feature in FRITZ!OS beside the option described by AVM above.

Did you REALIZE/CHECK, what I wrote above regarding IP subnetting?

Your FRITZ!Box WILL NEVER negotiate more than one SA for a connection (or better more than two, because each direction (ingress, egress) has its own key and therefore its own SA) - if you want to transport traffic for more than a single remote (/24) network segment in a single tunnel, you have to use a numbering scheme for the remote networks, where the network mask may be changed (reduced) to get an address, which stands for ALL of the remote networks.

Maybe your Sophos firewall is handling all XFRM actions on kernel level already and therefore needs/handles different SAs for each (remote) network - the FRITZ!OS IPSec will not do this and if you really want to get DIFFERENT SAs for each subnet (in your "example" above the FRITZ!Box device would use the local segment 192.168.56.0/24, while the other networks (37, 39, 40) are remote to your FRITZ!Box), you have to establish more than a single VPN tunnel, what means: "more than a single VPN connection" in FRITZ!OS. Period.

Have a look (again?) at IP subnetting and AVM's approach to configure multiple remote networks ... there are DIFFERENT options and it's your choice, which of them you'll prefer. But if your decision has been made once, don't mix the options again and try to configure your choosen solution up to the end.