Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 10398 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No traffic is going through my IPsec VPN tunnel, while it is established.

jens stahl

Hello guys. I am wasting a lot of time with VPN tunnels. Please help me with that.

I am going to setup some IPsec side2side VPN Tunnels from my Sophos XG firewall.

One tunnel is up and running correctly this includes the receiving and sending of data packets. It is setup between my XG firewall and IPfire with PSK. The local network range is different compared to my other networks of course.

Now I am setting up a IPsec Tunnel between an UTM and my XG firewall by using certs. The tunnel is up. Lights are green but nothing is going through the tunnel. I can't ping or ssh or http through it. The firewalls themselfs can't ping each other and the logs don't show up any failures.
On the XG site there are 2 LANs and on the UTM site is one, which should be connected by the VPN. Adresses are matching between UTM VPN configuration and XG VPN configuration (I checked that 5 times now). Both sides are claiming the tunnel is up and the connection is established.

It looks like the firewall is not blocking the traffic. I can't see any blocked traffic in the logs. When I change my selfmade rule from 'accept' to 'block' to test this, the ICMP ping packets appear as blocked in the log. I also didn't forget to make a reverse rule to allow packets in the other direction and on the other firewall.

I guess something is wrong with the routing. I tried the steps suggested in this thread: https://community.sophos.com/products/xg-firewall/f/vpn/92867/ipsec-site-to-site-vpn-connects-but-no-traffic-passes, but I cannot add any routing rules because the GUI name of my VPN is not accepted by the command. On the other side there is no route shown by the command and my 1st VPN connection is running.

The routing on the clients is correct. XG is the only gateway and should handle the routing and since the UTM client LAN has 2 gateways I had to add a rule to the machines for using my VPN. This should allow pings from the clients. And if this does not work, there is still the possibility to ping the firewall itself for testing.

Has anybody an idea what I can do to get this to work.

Best Regards

Jens



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    Welcome to the Sophos Community!

    Sorry to hear about your continued issues with this setup.

    You mention with your other IPsec tunnel that is working, "The local network range is different compared to my other networks of course." On this tunnel (that's having issues), did you have any matching local network ranges on both sites?

    As well, have you attempted a Packet Capture via the GUI to check what log entries you receive for this attempted traffic?

    Regards,

  • 0 in reply to FloSupport

    Hey Flo

    I'm glad to be here with you.

    Not sure, if I understood your question about the network ranges in the right way. The XG has several LANs (VLAN separated) in the range 172.20.x.y/24. Two of them I want to tunnel to the UTM 192.168.110.y/24. The running tunnel is on a different 192.168.x.y/24. The closest local (XG) LAN is 192.168.100.y/24. All this LANs are listed in the "route -n" output, leaded by:

    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   
    10.81.234.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0    
    10.255.0.0      0.0.0.0         255.255.255.0   U     0      0        0 GuestAP


    If my interpretation is correct, then there is no route defined for IPsec tunnels. The first rule looks like it's the SSL VPN route for remote clients.
    Should there be a route defined? If there is no route IPsec maybe tries to route all the traffic through the 1st tunnel and that's the reason why this one
    is running.
    On the UTM site I do not expect any failures. I just replaced my old IPsec VPN connection (old UTM-UTM tunnel) by the new VPN to my XG. The network
    is less complex there only one LAN and only 10 clients.     Without the tunnel it's hard to login to the console here.

    Regards

  • 0 in reply to jens stahl

    Hi Jens,

    My mistake, there won't be an entry in the route table for this.

    Would it be possible to initiate a ping from a host behind the UTM, towards a host behind the XG firewall?

    Type in the search query in the Packet Capture (on the XG) = proto ICMP and take a look at the capture. Do you see any ICMP request coming from the IPsec interface and being forwarded to the LAN behind the XG?

    Regards,

  • 0 in reply to FloSupport

    Hi Flo

    Regarding to "There won't be an entry in the route table for this.":
    On the XG side there is no entry, but on the UTM "route -n" showed routes for the correct XG networks forwarded to eth0 or eth1 (whichever is the WAN interface).

    The ping from the UTM or behind the UTM is not going through the tunnel. The XG did not capture anything.

    Regards,

    Jens

Reply
  • 0 in reply to FloSupport

    Hi Flo

    Regarding to "There won't be an entry in the route table for this.":
    On the XG side there is no entry, but on the UTM "route -n" showed routes for the correct XG networks forwarded to eth0 or eth1 (whichever is the WAN interface).

    The ping from the UTM or behind the UTM is not going through the tunnel. The XG did not capture anything.

    Regards,

    Jens

Children