Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 2753 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site Question

rrosson

I have migrated from Home UTM 9 to Home XG and so far ll is well. I have successfully built IPSec Site to Site tunnels to each of my parents XG home devices that I have installed while visiting them to provide one more layer of protection from the big bad Internet. (This allows me to get directly in the networks and computers when they call me with computer issues. Part of being the computer geek in the family   :) ) 

Everything works fine except when I need to look at the WebAdmin portal on one of my parents (the other parent works just fine). SSH directly from my network to the parent firewall that I can not access the GUI and performing a TCPDUMP shows my requests but I am not seeing any return traffic.

I verified that the zone(s) and subnet(s) in the firewall rules are correct. I also made sure in device access that VPN zone is checked for HTTPS. Other than network ranges each parents XG is almost configured identically. 

This is a real head scratcher and the IPSec tunnels are pretty stable. All three XG systems are running 17.03 MR3

Anyone have any ideas?

-Ron



This thread was automatically locked due to age.
Parents
  • 0

    I have a similar VPN link for the same reason!!

    I had issues in V16 where IPSEC kept rebooting the router (was fixed in one of the MRs), I also had various issues with the ongoing stability of the VPN link where I ended up with a script rebooting the link (this was a Mikrotik to Sophos XG)

     

    I then forced the parents to have a Sophos XG at their end and moved over to the SSL VPN for the site-site link, it seems bullet proof and so much more stable than I ever managed with IPSEC 

    The other advantage I have is that it is always a client-server relationship so the parent's router always dials mine which has a static IP.

     

    I just configured the SSL VPN in "Set VPN Parameters" and set it to UDP mode, selected certificate and hostname (you can use a dynamic DNS hostname if you are on a dynamic IP) and selected the best certificate. (initially I left the rest of the parameters as default and then updated them once it was all running to get it exactly as I wanted it!!!)

    Then in SSL VPN (Site-Site) I added a new server connection, configured the local/remote networks and clicked save. (you just need to create a new connection for each parent's XG)

    You can then download the connection profile for each parent, Then on the parent's XG you click add as a client on the SSL VPN (site-site) and voila its up.

     

    you then just need the LAN to VPN firewall rules (you would need these with IPSEC)

     

    I know this isn't a howto fix IPSEC, but hopefully it will allow you to have the same result and more reliable!

Reply
  • 0

    I have a similar VPN link for the same reason!!

    I had issues in V16 where IPSEC kept rebooting the router (was fixed in one of the MRs), I also had various issues with the ongoing stability of the VPN link where I ended up with a script rebooting the link (this was a Mikrotik to Sophos XG)

     

    I then forced the parents to have a Sophos XG at their end and moved over to the SSL VPN for the site-site link, it seems bullet proof and so much more stable than I ever managed with IPSEC 

    The other advantage I have is that it is always a client-server relationship so the parent's router always dials mine which has a static IP.

     

    I just configured the SSL VPN in "Set VPN Parameters" and set it to UDP mode, selected certificate and hostname (you can use a dynamic DNS hostname if you are on a dynamic IP) and selected the best certificate. (initially I left the rest of the parameters as default and then updated them once it was all running to get it exactly as I wanted it!!!)

    Then in SSL VPN (Site-Site) I added a new server connection, configured the local/remote networks and clicked save. (you just need to create a new connection for each parent's XG)

    You can then download the connection profile for each parent, Then on the parent's XG you click add as a client on the SSL VPN (site-site) and voila its up.

     

    you then just need the LAN to VPN firewall rules (you would need these with IPSEC)

     

    I know this isn't a howto fix IPSEC, but hopefully it will allow you to have the same result and more reliable!

Children
No Data