Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 3599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18 - IPSEC Route based - Operation not permitted

Carlos Cesario

Hello,

I am experiencing strange behavior when I use the Ipsec Type Tunnel Interface. 

When using it, the Ipsec Tunnel is established, but traffic originated from Sophos XG it seems does not work as expected.

Im getting this error when I try ping the other peer from sophos XG

SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# ping -i 10.1.1.2 10.1.1.1
PING 10.1.1.1 (10.1.1.1) from 10.1.1.2: 56 data bytes
ping: sendto: Operation not permitted
SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1#


But If I ping from other peer (10.1.1.1) to Sophos XG (10.1.1.2) it works.

Branch office peer

console> ping sourceip 10.1.1.1 10.1.1.2
PING 10.1.1.2 (10.1.1.2) from 10.1.1.1: 56 data bytes
64 bytes from 10.1.1.2: seq=0 ttl=64 time=16.139 ms
64 bytes from 10.1.1.2: seq=1 ttl=64 time=15.928 ms
64 bytes from 10.1.1.2: seq=2 ttl=64 time=16.029 ms
64 bytes from 10.1.1.2: seq=3 ttl=64 time=15.912 ms
64 bytes from 10.1.1.2: seq=4 ttl=64 time=15.963 ms

Tcpdump from sophos side

SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# tcpdump -i any host 10.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:37:31.142553 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 6, length 6414:37:31.142587 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 6, length 64
14:37:32.147421 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 7, length 6414:37:32.147452 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 7, length 64
14:37:33.156394 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 8, length 6414:37:33.156421 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 8, length 64
14:37:34.161357 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 9, length 6414:37:34.161387 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 9, length 6


Ipsec Connection  from sophos Side

Interface Ip address

 

COuld someone has any tip about it ?

 

Regards

Carlos



This thread was automatically locked due to age.
  • 0

    Only to add more info.

    Each time that I ping from Sophos Xg v18 side.

     

    I can see these lines into syslog file

    SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# tail -10 syslog.log
    Jun 6 15:15:11 (none) user.warn kernel: [55654.852048] snatmap:do_masq:No xfrm policy!
    Jun 6 15:15:12 (none) user.warn kernel: [55655.363460] snatmap:do_masq:No xfrm policy!
    Jun 6 15:21:20 (none) user.warn kernel: [56023.788286] snatmap:do_masq:No xfrm policy!
    Jun 6 15:21:33 (none) user.warn kernel: [56036.813429] snatmap:do_masq:No xfrm policy!
    Jun 6 15:21:59 (none) user.warn kernel: [56062.476219] snatmap:do_masq:No xfrm policy!
    Jun 6 15:22:03 (none) user.warn kernel: [56066.957589] snatmap:do_masq:No xfrm policy!
    Jun 6 15:24:41 (none) user.warn kernel: [56224.720533] snatmap:do_masq:No xfrm policy!
    Jun 6 15:24:43 (none) user.warn kernel: [56226.845782] snatmap:do_masq:No xfrm policy!

  • 0 in reply to Carlos Cesario

    Interesting. 

    i can perform such a operation with my XFRM Interface. 

    Maybe somebody else can reproduce this? 

     

    Does your normal traffic (from behind XG) work? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  

    Thanks for reply. 

    Yes the traffic behind XG it works only to when destination it is WAN.

    All traffic routed/forward to xfrm interface does not work

     

    regards

    Carlos

  • 0 in reply to Carlos Cesario

    Can you show us your XFRM Interface in the Interface overview? 

    And maybe the other End of the Tunnel and Tunnel Interface status? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Sure,

     

    From XG v18

     

    From BO peer

    Ipsec tunnel UP

  • 0 in reply to Carlos Cesario

    You are affected by the Interface Issue in V18. So your Interfaces are limited to 10 mbit/s. 

    You need to change the interface type of your Virtual Machine

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  

    Thanks for tip!

     

    I just changed the Virtual Machine interface type.

     

     

    But even with this, no traffic from XG v18

     

    Regards

    Carlos

  • 0 in reply to Carlos Cesario

    What about the Route? Which one do you use? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi

     

    I was using BGP, the all routes was distribuited in both devices, but without traffic, then I removed all routes and I started the debug/tests in both peers, and the first one test it was the ping from devices using the tunnel. as I dont have traffic by tunnel, I believe that this can be my problem. I have XG firewall running V17 and I got ping using ipsec tunnels withou problem.

    regards

    Carlos

  • 0 in reply to Carlos Cesario

    Hi  

    Will you please confirm below details or settings on HO XG from where PING not working with command # ping -i 10.1.1.2 10.1.1.1?

    1) Is there any generic NAT MASQ Rule configured on HO XG? If yes RBVPN traffic will be drop due to this issue. ( As of now it is known issue).

    2) Please generate a PING and catpure packet request on HO XG via below.

    a) #ping -i 10.1.1.2 10.1.1.1
    b)#tcpdump -n ip proto 50 or ICMP

    From output of B confirm Echo req packets are masqueraded with Port WAN IP or not.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Cookie Information Banner