Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 32657 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG210 to XG125 RED TUNNEL - SSL VPN from one XG could not access the other XG's network.

VikenNajarian

Hello,

 

I have succesfully connected a XG210 and a XG125 with RED site-to-site tunnel. From the network of the XG210 (10.69.95.0) i can ping the network of the XG125 (10.69.94.0).

But when a client connects via SSL VPN on the XG210 he could not ping the network of the XG125, he can only ping the XG210 network and this is the same for the users connecting to the XG125 via SSL VPN, they can not ping the XG210 network, but can only access the XG125 network.

 

Is there any tips to permit the trafic to pass the RED tunnel from SSL VPN ?

 

Thank you.


Regards,


Viken NAJARIAN



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

     

    Basically the RED Site to Site tunnel is a Layer 2 tunnel.

    So "all rules apply here". Like you plug a cable into the XG and wants to access this from your ssl VPN client.

    Check the permitted ressources in ssl vpn, check the VPN to (RED?) Rule etc.

     

    cheers

  • 0 in reply to LuCar Toni

    Hi,

     

    I have created rules in the firewall to accept trafic from VPN zone to RED zone, and from RED zone to VPN zone on both XG, and I have permitted the RED network and the local networks in the VPN ressources but it still doesn't work.

     

    When connecte via SSL VPN i couldn't even ping the local RED IP address.

     

    Thank you.

  • 0 in reply to VikenNajarian

    Hi,

     

    Ok!

    Perform a tcpdump on the advanced shell to check, what is happing.

    tcpdump -ni any icmp

     

  • 0 in reply to LuCar Toni

    HI,

     

    Here are the results: 

    Scenario:

    I'm connected with SSL VPN to the XG210 (10.69.95.1), the ip address given to my ssl vpn client is 10.81.234.7. I'm trying to ping 10.69.94.251 (IP address of a server in the xg125's network).

     

    Tcpdump -ni any icmp from the XG210:

     

    Tcpdump -ni any icmp from the XG125:

     

    Thank you.

     

    EDIT: the two xg are connected via a RED tunnel with the ip addresses: 192.168.250.254 for the XG210 side and 192.168.250.253 for the XG125 side.

  • 0 in reply to VikenNajarian

    See what is going on.

     

    Check your XG125.

    The XG is getting the Request, sending it to the client, getting the response and sending it out on Port2.

    What is Port2? It should use reds1 instead of Port2.

    Excepting Port2 is WAN? 

    Did you create a Static Route on XG125? Seems like, XG does not know, how to reach the XG210 site.

     

    Cheers

  • 0 in reply to LuCar Toni

    Hello,

     

    Port2 is WAN of the XG125, yes the static route exists on XG125 to reach the XG210's network from RED and it works because from the XG125 LAN I can ping XG210 lan, and from XG210 lan I can ping XG125 Lan.

     

    It's only when connected with SSL VPN to the XG210 that i cannot ping XG125's LAN and when connected with SSL VPN to XG125 that I cannot ping XG210's LAN.

     

    It's very weird...

     

    Note: I just finished setting up an IPSEC site-to-site tunnel between the 2 XG's and i now when i'm connected with SSL VPN on the XG210 I can ping XG125's LAN.

     

    So it's probably the RED which has a problem on that?

  • 0 in reply to VikenNajarian

    Mh.

     

    This is not satisfying for you, but currently, we are not supporting IPSEC and RED site to Site with same networks on XG.

    Reason is - the XG starts to build asymmetric routing, like in your dump. The IPsec Routes are destroying your routing.

    https://community.sophos.com/kb/en-us/124067

     

    So if you disable the IPsec Tunnel, it should work.

Reply Children
  • 0 in reply to LuCar Toni

    I built the IPSec site to site tunnel in order to see if it would resolve my issue.

     

    I deleted the RED tunnel before creating the IPSec tunnel.

     

    Yesterday the IPSec tunnel wasn't created and the RED was still an issue.

     

    I'm just trying to find a solution to have a real Site-to-Site tunnel working...