S2S - no connection to remote server

Hi Philipp Marx 

As per the details provided, you want to access the server which is behind the XG firewall and you are connecting through SSL VPN but unable to connect the server.

Please provide us with more details on connectivity.

How remote server is connected with the XG firewall?

Is LAN to VPN and VPN to LAN firewall rules are created or for the zone where the server is located? 

Hi Keyur, 

I would like to connect to a remote server via site2site vpn. From a local subnet (XG firewall) to a remote server behind a Sonicwall firewall.

Greetings

Philipp

Hi Philipp Marx 

Please refer to the article and configure the IPsec tunnel between Sophos XG and Sonicwall firewall.

Establish an IPsec connection between Sophos XG Firewall and SonicWall.

Hey Keyur, 

the vpn is connected with the specifications from the customer.

[IKE] scheduling rekeying in 28413s

[IKE] maximum IKE_SA lifetime 28773s
[IKE] CHILD_SA xyzvpn-1{33697} established with SPIs cedb80c2_i fd6079c2_o and TS 10.200.206.0/24 === 172.27.200.49/32
[APP] [SSO] (sso_invoke_once) SSO is disabled.
[APP] [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (10.200.206.0/24#172.27.200.49/32)
[APP] [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (193.218.xxx.xxx#217.6.xxx.xxx)
[APP] [COP-UPDOWN] (cop_updown_invoke_once) UID: 33768 Net: Local 193.218..xxx.xxx Remote 217.6.xxx.xxx Connection: xyzvpn Fullname: xyzvpn-1
[APP] [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
initiate completed successfully

Maybe there is a routing problem from our local subnet "172.20.0.0" over the "local vpn subnet 10.200.206.0" (using NAT) to the "remote server 172.27.200.49"?!

regards

Philipp

Hi Philipp Marx 

Please disable the NAT in Gateway settings.

Make sure LAN to VPN and VPN to LAN firewall rules are configured.

Please enable "MASQ" in LAN to VPN rule.

Hi Keyur, 

maybe could you please explain in more detail.

Thanks! 

Hi Philipp Marx 

Please see the attached screenshot and disable NAT configuration



Please create firewall rules LAN to VPN and VPN to LAN.

Please enable "MASQ" oprion in LAN to VPN rule.

Hi Keyur, 

we have disabled the nat rule in the vpn gateway settings. 

Then we have updated the firewall rule for LAN to VPN.

The "local" remote subnet 10.200.x.x is used for the vpn connection and is configured under "host and services > IP Host" only.

For our understanding we have to create a route for our local working subnet 172.20.x.x into the 10.200.x.x as well?! 

We can see that the outgoing traffic to 172.27.200.49 still goes through the "internal > wan" rule. 

Hi Philipp Marx 

Could you please let me below details?

The IP address/Network behind the XG firewall wants to access the server at a remote location.

Remote server IP address/Network.

In the screenshot of the firewall rule, in the Source Network, you have defined two networks 172.20.0.0 and 10.200.206.0

In the IPsec configuration, you have added network 172.20.0.0/16 

There are two possible issues there:

• To support federation / s2s, an XMPP server must be available on the internet, and not associated to a local IP. Ideally, you should have set DNS SRV record for that XMPP service.
• The second issue seems that your DNS resolution seems incorrect as ejabberd gets a local address for the domain from your DNS, when you seem to expect a public IP. You need to make sure the DNS service on the XMPP server is set up and properly working.