Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 3586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18 - IPSEC Route based - Operation not permitted

Carlos Cesario

Hello,

I am experiencing strange behavior when I use the Ipsec Type Tunnel Interface. 

When using it, the Ipsec Tunnel is established, but traffic originated from Sophos XG it seems does not work as expected.

Im getting this error when I try ping the other peer from sophos XG

SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# ping -i 10.1.1.2 10.1.1.1
PING 10.1.1.1 (10.1.1.1) from 10.1.1.2: 56 data bytes
ping: sendto: Operation not permitted
SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1#


But If I ping from other peer (10.1.1.1) to Sophos XG (10.1.1.2) it works.

Branch office peer

console> ping sourceip 10.1.1.1 10.1.1.2
PING 10.1.1.2 (10.1.1.2) from 10.1.1.1: 56 data bytes
64 bytes from 10.1.1.2: seq=0 ttl=64 time=16.139 ms
64 bytes from 10.1.1.2: seq=1 ttl=64 time=15.928 ms
64 bytes from 10.1.1.2: seq=2 ttl=64 time=16.029 ms
64 bytes from 10.1.1.2: seq=3 ttl=64 time=15.912 ms
64 bytes from 10.1.1.2: seq=4 ttl=64 time=15.963 ms

Tcpdump from sophos side

SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# tcpdump -i any host 10.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:37:31.142553 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 6, length 6414:37:31.142587 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 6, length 64
14:37:32.147421 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 7, length 6414:37:32.147452 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 7, length 64
14:37:33.156394 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 8, length 6414:37:33.156421 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 8, length 64
14:37:34.161357 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 9, length 6414:37:34.161387 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 9, length 6


Ipsec Connection  from sophos Side

Interface Ip address

 

COuld someone has any tip about it ?

 

Regards

Carlos



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Hi

     

    I was using BGP, the all routes was distribuited in both devices, but without traffic, then I removed all routes and I started the debug/tests in both peers, and the first one test it was the ping from devices using the tunnel. as I dont have traffic by tunnel, I believe that this can be my problem. I have XG firewall running V17 and I got ping using ipsec tunnels withou problem.

    regards

    Carlos