Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 1148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v18 - Unable to use LDAP or DNS when DC and DNS Server are behind route based VPN

DuS

Hi together,

 

maybe someone can give a short hint if one has to do something unusual to get it to work or just confirm that this is a bug.

It seems to me, as if the Sophos appliance is unable to route traffic originating from itself to servers behind a route based VPN tunnel interface.

 

I setup new Sophos appliances every week and always connected them with policy based vpn to Headquarter (HQ). The appliances use DNS and LDAP services from HQ and clients use the appliance for DNS. I never had issues with this setup.

Now with v18 we can use route based vpn and I sucessfully established the transfer network between the appliances and applied firewall policies and routes on both devices. However, the device was not able to reach our LDAP/AD or DNS servers in HQ through the tunnel, but devices in the LAN behind the Branch office (BO) had no issues reaching those services.

Because of this (Bug?) we had to modify all DHCP scopes on the BO appliance so that the devices in the BO LAN directly use DNS in the HQ and do not use their local Sophos appliance for DNS. Additionally we were unable to setup Active Directory authentication for our administrative accounts. (AD authentication check fails on the appliance connected with route based vpn tunnel)

Anything known around this topic? Might there be a fix available soon?

This issue occured also on the latest release SFOS 18.0.1 MR-1-Build396.

 

Kind regards,

David



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    What was the firmware version on the firewall when this scenario worked for you and with adding system routes manually? 

    Did you add a route form the backend to route system-generated traffic over IPsec tunnel? 

    Please check out the following KBA: Sophos XG Firewall: How to Route Sophos Firewall Initiated Traffic Through an IPSec VPN tunnel.

    Thanks,

  • 0 in reply to FormerMember

    OK thank you for the information. I was not aware, that this kind of stuff could be necessary.

    In the article above a regular policy based ipsec site-to-site vpn is created so that is very much different from my current scenario. With regular policy based vpns I never had to add "ip-sec-routes" or a snat for the appliance itself to be able to talk to HO servers because the destination network was always already part of the remote networks in the tunnel (from BO point of view)

    Additionally I never had to care which IP is on my WAN port. The box always used the IP from its lan interface that was within the tunnel. (Otherwise the traffic would never have been able to get routed back since most BO appliances in my network have exactly the same address on their wan port which is connected to a dsl nat router)

    I guess this kind of stuff applies if local- and remote-networks in the vpn are not part of sophos interface networks.

     

    Nonetheless, your answer helped me to solve my issue. The only thing that I was missing was: "What is the source IP BO appliance is using?"

    It was its vpn tunnel interface of course and in HO I did not have a firewall policy allowing traffic from the network I chose for my vpn transfer networks. Sometimes the simple stuff confuses the most. Also very glad to hear, that in this case it is not a bug.

    Thank you very much!

     

    Kind regards,

    David

Reply
  • 0 in reply to FormerMember

    OK thank you for the information. I was not aware, that this kind of stuff could be necessary.

    In the article above a regular policy based ipsec site-to-site vpn is created so that is very much different from my current scenario. With regular policy based vpns I never had to add "ip-sec-routes" or a snat for the appliance itself to be able to talk to HO servers because the destination network was always already part of the remote networks in the tunnel (from BO point of view)

    Additionally I never had to care which IP is on my WAN port. The box always used the IP from its lan interface that was within the tunnel. (Otherwise the traffic would never have been able to get routed back since most BO appliances in my network have exactly the same address on their wan port which is connected to a dsl nat router)

    I guess this kind of stuff applies if local- and remote-networks in the vpn are not part of sophos interface networks.

     

    Nonetheless, your answer helped me to solve my issue. The only thing that I was missing was: "What is the source IP BO appliance is using?"

    It was its vpn tunnel interface of course and in HO I did not have a firewall policy allowing traffic from the network I chose for my vpn transfer networks. Sometimes the simple stuff confuses the most. Also very glad to hear, that in this case it is not a bug.

    Thank you very much!

     

    Kind regards,

    David

Children
No Data