Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 2868 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site - XG "Home Base" with Ubiquity Security Gateway "Remote Sites": Cannot reach remote office subnets

Thomas Ward

Hello.

Myself (and a client of mine) currently utilize Sophos XG firewall at the 'main' location of an office/company.  We have several remote sites, each with a Site-to-Site VPN tunnel between the two locations.

Traffic can freely and without issue flow from the remote sites into the main site, and get responses back.  This behavior works.

However, we need to get the inverse working - from our main office to the remote offices.  This is currently not functioning.

From other resources and searches I've done, I've found that we need rules for the home base side of the network to reach out to the remote networks to permit that traffic.  However, we already have such a rule and the Policy Checker indicates that rule matches.  Traffic still, however, doesn't seem to get handed over the IPSec tunnel to the remote side at the moment.  If it were, the remote site would likely be responding.

The rule we've got that SHOULD be permitting our IT Management systems to go over is this:

... where MGMT is the "zone" for the IT Team's management systems and "Source Networks" of "IT" is the 10.1.4.0/24 subnet where they exist.

 

To my knowledge, the XG should be able to handle routing this traffic over the tunnel, however it doesn't seem to want to do that.

 

Where should I look next to try and debug this?  Do I need special routing rules or such entered to make the traffic actually go over the IPSec tunnel to the remote site?



This thread was automatically locked due to age.
Parents
  • 0

    The question is, when you try to access the network what rule does the logviewer show as being used?

    Is there a firewall rule with a higher priority using the 10 network in its allowed list?

    Ian

  • 0 in reply to rfcat_vk

    Can you post a simple Network plan? 

    Do you NAT in the tunnel? 

  • 0 in reply to LuCar Toni

    I can draw up a network plan, but once I am back at the environment, because I Have the documentatin there.

     

    To my knowledge we don't have any NAT rules set up, and that's probably where it's not working; we did attempt to set a NAT rule in the tunnel's settings but its possible it's not set up right.  I'll have to pull documentation on what we attempted, the other person on site at the 'home base' did those changes.

     

    Apologies for extremely slow replies, but I've not been feeling well the past few days, so bear with me while I get the information; being ill makes getting info hard sometimes.

  • 0 in reply to Thomas Ward

    Hello Thomas,

    For simplicity could you take a packet capture and check if the traffic is going/incomming from the tunnel or not with the intended source and destination address? This will help you identify and focus on the specific area to troublshoot the issue. 

  • 0 in reply to Aditya Patel

    Hello Thomas,

    For simplicity could you take a packet capture and check if the traffic is going/incomming from the tunnel or not with the intended source and destination address? This will help you identify and focus on the specific area to troublshoot the issue.   

    I will do so, however as far as I can tell ingress traffic from remote -> home base is working properly.  That traffic also shows.

    From what little I've tested, it also appears the XG is *not* capturing the ICMP packets when we use pings to test.  That may need some attention from Sophos to fix, but I'll attempt direct socket connections in a bit as well, since those should get captured (TCP is caught, ICMP is not).

     

    Can you post a simple Network plan? 

    This is a VERY rough diagram but shows the subnets on all sides.  We have multiple remote offices, home office -> remote does not work on any of the tunnels it seems, though the tunnels are properly configured such that the "local" subnets on the XG side are the 10.1.4, 10.1.2, and 10.1.121 subnets, with the corresponding "remotes" set properly on each of the tunnels (each with different configurations because of varying IPSec tunnel passwords).

     

    We know that remote -> main works properly when Remote is the origin point, but main -> remote where Main is origin does not properly work.

     

    It's probably something stupid in the NAT rules, but unlike a pfSense, USG, or ASA, there's nowhere that I can see to explicitly work with the NAT rules, so it's probably accessed and configured in a more 'roundabout way' than I am used to within XG compared to the other equipment and vendors I use regularly.

  • 0 in reply to Aditya Patel

    The packet trace does not show it going out over any interface, and simply shows as such:

     

    In Interface: PortC.24 (correct)
    Out Interface: (EMPTY)

     

    THis'd be a NAT rule wouldn't it?  Or would this be a route rule I have to setup?

Reply Children
No Data