Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 3592 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18 - IPSEC Route based - Operation not permitted

Carlos Cesario

Hello,

I am experiencing strange behavior when I use the Ipsec Type Tunnel Interface. 

When using it, the Ipsec Tunnel is established, but traffic originated from Sophos XG it seems does not work as expected.

Im getting this error when I try ping the other peer from sophos XG

SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# ping -i 10.1.1.2 10.1.1.1
PING 10.1.1.1 (10.1.1.1) from 10.1.1.2: 56 data bytes
ping: sendto: Operation not permitted
SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1#


But If I ping from other peer (10.1.1.1) to Sophos XG (10.1.1.2) it works.

Branch office peer

console> ping sourceip 10.1.1.1 10.1.1.2
PING 10.1.1.2 (10.1.1.2) from 10.1.1.1: 56 data bytes
64 bytes from 10.1.1.2: seq=0 ttl=64 time=16.139 ms
64 bytes from 10.1.1.2: seq=1 ttl=64 time=15.928 ms
64 bytes from 10.1.1.2: seq=2 ttl=64 time=16.029 ms
64 bytes from 10.1.1.2: seq=3 ttl=64 time=15.912 ms
64 bytes from 10.1.1.2: seq=4 ttl=64 time=15.963 ms

Tcpdump from sophos side

SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# tcpdump -i any host 10.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:37:31.142553 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 6, length 6414:37:31.142587 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 6, length 64
14:37:32.147421 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 7, length 6414:37:32.147452 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 7, length 64
14:37:33.156394 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 8, length 6414:37:33.156421 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 8, length 64
14:37:34.161357 xfrm1, IN: IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 7715, seq 9, length 6414:37:34.161387 xfrm1, OUT: IP 10.1.1.2 > 10.1.1.1: ICMP echo reply, id 7715, seq 9, length 6


Ipsec Connection  from sophos Side

Interface Ip address

 

COuld someone has any tip about it ?

 

Regards

Carlos



This thread was automatically locked due to age.
Parents
  • 0

    Only to add more info.

    Each time that I ping from Sophos Xg v18 side.

     

    I can see these lines into syslog file

    SFVUNL_VM01_SFOS 18.0.0 GA-Build379.HF052220.1# tail -10 syslog.log
    Jun 6 15:15:11 (none) user.warn kernel: [55654.852048] snatmap:do_masq:No xfrm policy!
    Jun 6 15:15:12 (none) user.warn kernel: [55655.363460] snatmap:do_masq:No xfrm policy!
    Jun 6 15:21:20 (none) user.warn kernel: [56023.788286] snatmap:do_masq:No xfrm policy!
    Jun 6 15:21:33 (none) user.warn kernel: [56036.813429] snatmap:do_masq:No xfrm policy!
    Jun 6 15:21:59 (none) user.warn kernel: [56062.476219] snatmap:do_masq:No xfrm policy!
    Jun 6 15:22:03 (none) user.warn kernel: [56066.957589] snatmap:do_masq:No xfrm policy!
    Jun 6 15:24:41 (none) user.warn kernel: [56224.720533] snatmap:do_masq:No xfrm policy!
    Jun 6 15:24:43 (none) user.warn kernel: [56226.845782] snatmap:do_masq:No xfrm policy!

  • 0 in reply to Carlos Cesario

    Hi  

    Will you please confirm below details or settings on HO XG from where PING not working with command # ping -i 10.1.1.2 10.1.1.1?

    1) Is there any generic NAT MASQ Rule configured on HO XG? If yes RBVPN traffic will be drop due to this issue. ( As of now it is known issue).

    2) Please generate a PING and catpure packet request on HO XG via below.

    a) #ping -i 10.1.1.2 10.1.1.1
    b)#tcpdump -n ip proto 50 or ICMP

    From output of B confirm Echo req packets are masqueraded with Port WAN IP or not.

  • 0 in reply to Vishal_R

    Hello  

    1) Is there any generic NAT MASQ Rule configured on HO XG? If yes RBVPN traffic will be drop due to this issue. ( As of now it is known issue).

        Yes There is

    2) Please generate a PING and catpure packet request on HO XG via below.

    a) #ping -i 10.1.1.2 10.1.1.1
    b)#tcpdump -n ip proto 50 or ICMP

     

    Regards

    Carlos

Reply
  • 0 in reply to Vishal_R

    Hello  

    1) Is there any generic NAT MASQ Rule configured on HO XG? If yes RBVPN traffic will be drop due to this issue. ( As of now it is known issue).

        Yes There is

    2) Please generate a PING and catpure packet request on HO XG via below.

    a) #ping -i 10.1.1.2 10.1.1.1
    b)#tcpdump -n ip proto 50 or ICMP

     

    Regards

    Carlos

Children