Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 32654 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG210 to XG125 RED TUNNEL - SSL VPN from one XG could not access the other XG's network.

VikenNajarian

Hello,

 

I have succesfully connected a XG210 and a XG125 with RED site-to-site tunnel. From the network of the XG210 (10.69.95.0) i can ping the network of the XG125 (10.69.94.0).

But when a client connects via SSL VPN on the XG210 he could not ping the network of the XG125, he can only ping the XG210 network and this is the same for the users connecting to the XG125 via SSL VPN, they can not ping the XG210 network, but can only access the XG125 network.

 

Is there any tips to permit the trafic to pass the RED tunnel from SSL VPN ?

 

Thank you.


Regards,


Viken NAJARIAN



This thread was automatically locked due to age.
  • 0

    Hi,

     

    Basically the RED Site to Site tunnel is a Layer 2 tunnel.

    So "all rules apply here". Like you plug a cable into the XG and wants to access this from your ssl VPN client.

    Check the permitted ressources in ssl vpn, check the VPN to (RED?) Rule etc.

     

    cheers

  • 0 in reply to LuCar Toni

    Hi,

     

    I have created rules in the firewall to accept trafic from VPN zone to RED zone, and from RED zone to VPN zone on both XG, and I have permitted the RED network and the local networks in the VPN ressources but it still doesn't work.

     

    When connecte via SSL VPN i couldn't even ping the local RED IP address.

     

    Thank you.

  • 0 in reply to VikenNajarian

    Hi,

     

    Ok!

    Perform a tcpdump on the advanced shell to check, what is happing.

    tcpdump -ni any icmp

     

  • 0 in reply to LuCar Toni

    HI,

     

    Here are the results: 

    Scenario:

    I'm connected with SSL VPN to the XG210 (10.69.95.1), the ip address given to my ssl vpn client is 10.81.234.7. I'm trying to ping 10.69.94.251 (IP address of a server in the xg125's network).

     

    Tcpdump -ni any icmp from the XG210:

     

    Tcpdump -ni any icmp from the XG125:

     

    Thank you.

     

    EDIT: the two xg are connected via a RED tunnel with the ip addresses: 192.168.250.254 for the XG210 side and 192.168.250.253 for the XG125 side.

  • 0 in reply to VikenNajarian

    See what is going on.

     

    Check your XG125.

    The XG is getting the Request, sending it to the client, getting the response and sending it out on Port2.

    What is Port2? It should use reds1 instead of Port2.

    Excepting Port2 is WAN? 

    Did you create a Static Route on XG125? Seems like, XG does not know, how to reach the XG210 site.

     

    Cheers

  • 0 in reply to LuCar Toni

    Hello,

     

    Port2 is WAN of the XG125, yes the static route exists on XG125 to reach the XG210's network from RED and it works because from the XG125 LAN I can ping XG210 lan, and from XG210 lan I can ping XG125 Lan.

     

    It's only when connected with SSL VPN to the XG210 that i cannot ping XG125's LAN and when connected with SSL VPN to XG125 that I cannot ping XG210's LAN.

     

    It's very weird...

     

    Note: I just finished setting up an IPSEC site-to-site tunnel between the 2 XG's and i now when i'm connected with SSL VPN on the XG210 I can ping XG125's LAN.

     

    So it's probably the RED which has a problem on that?

  • 0 in reply to VikenNajarian

    Mh.

     

    This is not satisfying for you, but currently, we are not supporting IPSEC and RED site to Site with same networks on XG.

    Reason is - the XG starts to build asymmetric routing, like in your dump. The IPsec Routes are destroying your routing.

    https://community.sophos.com/kb/en-us/124067

     

    So if you disable the IPsec Tunnel, it should work.

  • 0 in reply to LuCar Toni

    I built the IPSec site to site tunnel in order to see if it would resolve my issue.

     

    I deleted the RED tunnel before creating the IPSec tunnel.

     

    Yesterday the IPSec tunnel wasn't created and the RED was still an issue.

     

    I'm just trying to find a solution to have a real Site-to-Site tunnel working...

  • 0

    Hello, First of all, is it a RED or a site-to-site?

    If it's a red(meaning you have extra red interfaces on your networks) you have to do the following:

    Make a lan to lan accept rule on your firewall

    Make a lan to vpn and a vpn to lan accept rule on your firewall

    Maybe group them with a name VPN&RED to keep things tidy.

    This should be done on both XG

     

    Most important:

    You have to make a unicast rule to all sfos devices. Go to Configure-Routing  and under ipv4 unicast rule add one with the following:

    From the 210 add Destination ip 10.69.94.0, gateway the RED 125 ip (192.168.250.253 if i understand) and interface the red interface

    From the 125 add destination ip 10.69.95.0, gateway the RED 210 ip (192.168.250.254 if i understand) and interface the red interface

     

    Should work instantly either via lan and via VPN. I'm using the same setup with 3 XGs with sslvpn & RED and 192.168.x.x for all my networks and working fine

  • 0 in reply to Panagiotis Vakerlis

    Hello, thank you for your answer.

    The goal was to connect both XG to have the networks to communicate with each other.

    I first tried to make it working with RED thinking it was the faster and easier. Then i deleted the RED tunnel because of this SSL VPN problem and I created a site-to-site IPSec tunnel between the 2 XGs.

    I did all you said except the lan to lan accept rule because I have Vlans and I can’t make a rule like this « lan to lan accept any » because of some vlans restrictions.

    I just created rules like that:

    I created a new zone named RED.

    Firewall rules:

    Red zone to Lan zone accept any

    Lan zone to Red zone accept any

    Vpn zone to Red zone accept any

    Red zone to Vpn zone accept any

    Created the static routes on both XG with the right red Ip gateway and interface.

    Just have to say that i can reach the XG125 network from the XG210 network with no problem, the routing is working well. The only thing which doesn’t work is only when I try to reach the XG125 network while connected with SSL VPN on the XG210 and vice versa.

    Thing that is now workig after deleting the RED configuration and creating a site-to-site IPSec VPN tunnel between the two XGs.

    Is there any disadvantage using IPSec tunnel instead of RED to connect the two XGs ?

    Thank you.