We help IT Professionals succeed at work.

IPsec VPN  with VMWare NSX at hub and Sophos XG On Spoke Networks So Spokes See Each Other

Medium Priority
Last Modified: 2019-09-08
I have 13 IPSec VPNs that are set up and working on a VMWare NSX Edge. The remote sites are all Sophos XG Firewalls. They used to connect to a Sophos firewall. In the earlier scenario, there was a VPN to VPN rule that joined all the Sophos IP Sec connections together in a hub and spoke network design. One could see devices between Atlanta to Orlando, for example.

Now I have them all connected successfully to the VMWare NSX Edge firewall. I have 2 rules for each location on the NSX.  For example, NSX to Atlanta and the reciprocal Atlanta to NSX.

I'd like for traffic to be seen from one location, like Atlanta, through the NSX Edge to Orlando.
On each Sophos connection to the Edge, I've added the remote networks I'd like to add to the Edge connection.  
In the previous all Sophos configuration, at the "hub" Sophos, a rule of VPN to VPN was in place to make this happen.
But I think I'm missing something on the NSX Edge to allow for Atlanta to "see" Orlando.

I have added reciprocal rules of Atlanta to Orlando and vice versa on the NSX but that is not working.
Watch Question

Software Engineer
Distinguished Expert 2019
if ipsec is enforcing the endpoint policies you need to create policies that include all other sites at the hub.... (You also need the routes 7 filters setup correctly..)

A ------> HUB ----> { B, C }
B ------> HUB ----> { A, C }
C ------> HUB ----> { A, B }
A =
B =
C =

Then from A's pov.  HUB & B &C need to be in the remote mask, or you need 3 policies.

Then either all REMOTE specs are  <==>   { 4 subnets including hub }
or you create several tunnel prolicies:    
A->C <===> <===> <===>
MIchaelIT Director


Thanks for the response. Sorry for the delay in mine.