Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 28 subscribers
  • Views 28341 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mikrotik and Sophos IPSec Site to Site

NathanOhara

I am having the exact same issue as the below person.

https://community.sophos.com/products/xg-firewall/f/vpn/94105/ipsec-mikrotik-to-sophos-problem

The IPSec tunnel establishes correctly and from the local network behind the Mikrotik can ping the local network behind the Sophos XG Firewall. But from the local network behind the Sophos XG I cannot ping the Mikrotik or the local network behind the Mikrotik. I do not have any policy routes and tried the below command but that did not help.

system ipsec_route add net 192.168.87.0/255.255.255.0 tunnelname <IPSec Tunnel Name>

Any help would be greatly appreciated. Thanks!

 

 




[locked by: SupportFlo at 5:53 PM (GMT -8) on 5 Nov 2018]
Parents
  • 0

    Hi  

    Could you please verify that the Ping local service ACL permission is enabled for your VPN zone? Located in System > Administration > Device Access. As well, what are you able to observe when performing a packet capture for this LAN to VPN ICMP traffc?

    Regards,

    FloSupport | Community Support Engineer

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to NathanOhara

    Hi  

    It appears from the log entry that your XG is passing the ICMP traffic along properly. Could you please perform a traceroute from the client behind the XG, going to the Mikrotic remote LAN, and verify where the traffic is getting stopped? Have you also tried to pass other types of traffic along the VPN tunnel? (RDP, FTP, etc.)

    Thanks,

    FloSupport | Community Support Engineer

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Yes, I have tried SSH, RDP, etc. nothing works. Traceroute stops at the XG Firewall which is 10.0.0.1

    pepsi@10.0.100.21:~$ traceroute 192.168.87.252
    traceroute to 192.168.87.252 (192.168.87.252), 30 hops max, 60 byte packets
    1 10.0.100.1 (10.0.100.1) 2.881 ms 3.095 ms 3.336 ms
    2 10.0.0.1 (10.0.0.1) 0.099 ms 0.087 ms 0.101 ms
    3 * * *
    4 * * *
    5 * * *
    6 * * *
    7 * * *
    8 * * *
    9 * * *
    10 * * *
    11 * * *
    12 * * *
    13 * * *
    14 * * *
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    27 * * *
    28 * * *
    29 * * *
    30 * * *

  • 0 in reply to NathanOhara

    What are you able to observe when you perform a TCPDump from the CLI of the XG?
    Ex: tcpdump -eni <interface> host 192.168.87.252

    Could you also please share the rest of the configuration settings of your firewall rule 18?

    Regards,

    FloSupport | Community Support Engineer

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    It seems as if the pings are going through but I am not getting any replies. How do I verify that the data is going through the correct interface?

    console> tcpdump 'dst host 192.168.87.252'
    tcpdump: Starting Packet Dump
    17:25:00.145241 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 4, length 64
    17:25:01.153196 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 5, length 64
    17:25:02.161222 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 6, length 64
    17:25:03.169253 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 7, length 64
    17:25:04.177229 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 8, length 64
    17:25:05.185235 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 9, length 64
    17:25:06.193271 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 10, length 64
    17:25:07.201264 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 11, length 64
    17:25:08.209305 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 12, length 64
    17:25:09.217293 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 13, length 64
    17:25:10.225245 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 14, length 64
    17:25:11.233409 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 15, length 64
    ^C
    12 packets captured
    12 packets received by filter
    0 packets dropped by kernel

Reply
  • 0 in reply to FloSupport

    It seems as if the pings are going through but I am not getting any replies. How do I verify that the data is going through the correct interface?

    console> tcpdump 'dst host 192.168.87.252'
    tcpdump: Starting Packet Dump
    17:25:00.145241 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 4, length 64
    17:25:01.153196 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 5, length 64
    17:25:02.161222 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 6, length 64
    17:25:03.169253 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 7, length 64
    17:25:04.177229 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 8, length 64
    17:25:05.185235 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 9, length 64
    17:25:06.193271 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 10, length 64
    17:25:07.201264 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 11, length 64
    17:25:08.209305 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 12, length 64
    17:25:09.217293 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 13, length 64
    17:25:10.225245 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 14, length 64
    17:25:11.233409 Port1, IN: IP 10.0.100.21 > 192.168.87.252: ICMP echo request, id 22511, seq 15, length 64
    ^C
    12 packets captured
    12 packets received by filter
    0 packets dropped by kernel

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?