Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 3674 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S - no connection to remote server

Philipp Marx

Hey,

I would like to connect to a remote server via VPN. The s2s connection works but Iam unable to reach the server on the other side (the remote site is one host only).

I can see that the outgoing traffic goes through the firewall rule LAN to WAN, if I will connect from the local subnet 172.20./16 to the remote server 172.20.200.49.

So whats missing / wrong? Do I have to create a further rule/route - where ?

Thanks in advance!



This thread was automatically locked due to age.
  • 0

    Hi  

    As per the details provided, you want to access the server which is behind the XG firewall and you are connecting through SSL VPN but unable to connect the server.

    Please provide us with more details on connectivity.

    How remote server is connected with the XG firewall?

    Is LAN to VPN and VPN to LAN firewall rules are created or for the zone where the server is located? 

  • 0 in reply to Keyur

    Hi Keyur, 

    I would like to connect to a remote server via site2site vpn. From a local subnet (XG firewall) to a remote server behind a Sonicwall firewall.

    Greetings

    Philipp

  • 0 in reply to Philipp Marx

    Hi  

    Please refer to the article and configure the IPsec tunnel between Sophos XG and Sonicwall firewall.

    Establish an IPsec connection between Sophos XG Firewall and SonicWall.

  • 0 in reply to Keyur

    Hey Keyur, 

    the vpn is connected with the specifications from the customer.

    [IKE] scheduling rekeying in 28413s

    [IKE] maximum IKE_SA lifetime 28773s
    [IKE] CHILD_SA xyzvpn-1{33697} established with SPIs cedb80c2_i fd6079c2_o and TS 10.200.206.0/24 === 172.27.200.49/32
    [APP] [SSO] (sso_invoke_once) SSO is disabled.
    [APP] [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (10.200.206.0/24#172.27.200.49/32)
    [APP] [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (193.218.xxx.xxx#217.6.xxx.xxx)
    [APP] [COP-UPDOWN] (cop_updown_invoke_once) UID: 33768 Net: Local 193.218..xxx.xxx Remote 217.6.xxx.xxx Connection: xyzvpn Fullname: xyzvpn-1
    [APP] [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
    initiate completed successfully

    Maybe there is a routing problem from our local subnet "172.20.0.0" over the "local vpn subnet 10.200.206.0" (using NAT) to the "remote server 172.27.200.49"?!

    regards

    Philipp

  • 0 in reply to Philipp Marx

    Hi  

    Please disable the NAT in Gateway settings.

    Make sure LAN to VPN and VPN to LAN firewall rules are configured.

    Please enable "MASQ" in LAN to VPN rule.

  • 0 in reply to Keyur

    Hi Keyur, 

    maybe could you please explain in more detail.

    Thanks! 

  • 0 in reply to Philipp Marx

    Hi  

    Please see the attached screenshot and disable NAT configuration



    Please create firewall rules LAN to VPN and VPN to LAN.

    Please enable "MASQ" oprion in LAN to VPN rule.

  • 0 in reply to Keyur

    Hi Keyur, 

    we have disabled the nat rule in the vpn gateway settings. 

    Then we have updated the firewall rule for LAN to VPN.

    The "local" remote subnet 10.200.x.x is used for the vpn connection and is configured under "host and services > IP Host" only.

    For our understanding we have to create a route for our local working subnet 172.20.x.x into the 10.200.x.x as well?! 

    We can see that the outgoing traffic to 172.27.200.49 still goes through the "internal > wan" rule. 

     

  • 0 in reply to Philipp Marx

    Hi  

    Could you please let me below details?

    The IP address/Network behind the XG firewall wants to access the server at a remote location.

    Remote server IP address/Network.

    In the screenshot of the firewall rule, in the Source Network, you have defined two networks 172.20.0.0 and 10.200.206.0

    In the IPsec configuration, you have added network 172.20.0.0/16 

  • 0

    There are two possible issues there:

    • To support federation / s2s, an XMPP server must be available on the internet, and not associated to a local IP. Ideally, you should have set DNS SRV record for that XMPP service.
    • The second issue seems that your DNS resolution seems incorrect as ejabberd gets a local address for the domain from your DNS, when you seem to expect a public IP. You need to make sure the DNS service on the XMPP server is set up and properly working.