Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 860 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GCP and Sophos XG Firewall VPN Established but cannot ping

Joseph Lim

We have recently configure our onPrem Sophos XG Firewall to connect to GCP Cloud VPN via Site-to-Site IPSec.  We managed to get our VPN established.  But we cannot get both VM from 2 ends ping each other although ICMP has been enabled.  

Below is our VPN tunnel.  

1. 203.xx.xx.xx is our India region

2.  99.xx.xx.xx is our US region

3.  34.105.24.193 is another GCP VPN test.

All VPN has been established.  Tunnels and subnets has been created.  We have GCP firewall open for all ports to all instances.  This is the result.

  • GCP VPN (uswest) (34.105.24.193).  <---> GCP VPN (asia) (34.84.53.162).   = VM created in both VPN subnet can ping each other.  I assume there is no issue in GCP VPN Configuration.  uswest subnet 172.100.x.x and asia subnet 10.100.x.x

 

  • Sophos XG India VPN (203.xx.xx.xx).  <---> GCP VPN (asia) (34.84.53.162).   = VM created in both VPN CANNOT ping each other.  

  • Sophos XG USA VPN  (99.xx.xx.xx).  <---> GCP VPN (asia)  (34.84.53.162).   = VM created in both VPN CANNOT ping each other.  

Since the first approach works, therefore, I believe some settings  is not correctly setup in Sophos XG firewall.  Can you help provide some guidance on which area we should focus ?  



This thread was automatically locked due to age.
Parents
  • 0

    Hello Joseph,

    Thank you for contacting the Sophos Community!

    If you do a packet capture from the GUI of the XG, do you see the packets leaving the XG via the IPsec tunnel?

    Regards,

  • 0 in reply to emmosophos

    Since now the connectivity is established and was successful.  We still have ONE last question to clarify, we can now ping from OnPrem to GCP and vice versa.  But we couldn't connect from the workstation that was connected to VPN to GCP.  Let me provide a bit more details:-

    Onprem address range - 10.11.0.0/22

    GCP address range - 10.100.10.0/24

    When we connect from our workstation to Sophos XG VPN, we SSH to one of the VM in 10.11.0.0/22, we can ping 10.100.10.0/24 and vice-versa.   If we don't SSH to 10.11.0.0/22, we couldn't ping GCP.  How do we allow our workstation that was connected to VPN to be able to ping GCP VM ?

Reply
  • 0 in reply to emmosophos

    Since now the connectivity is established and was successful.  We still have ONE last question to clarify, we can now ping from OnPrem to GCP and vice versa.  But we couldn't connect from the workstation that was connected to VPN to GCP.  Let me provide a bit more details:-

    Onprem address range - 10.11.0.0/22

    GCP address range - 10.100.10.0/24

    When we connect from our workstation to Sophos XG VPN, we SSH to one of the VM in 10.11.0.0/22, we can ping 10.100.10.0/24 and vice-versa.   If we don't SSH to 10.11.0.0/22, we couldn't ping GCP.  How do we allow our workstation that was connected to VPN to be able to ping GCP VM ?

Children
  • 0 in reply to Joseph Lim

    Hello Joseph!

    Make sure you add the subnet 10.100.10.0/24 to the allowed subnets for the SSL VPN in the XG.

    Does the 10.100.10.0/24 is directly connected to the XG? or the XG only has a route to this network? if it is the second, you will need to create a static route for the SSL VPN subnet, so when the traffic arrives there it knows where to send it back.

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    I will close this issue and open another regarding the P2S with Sophos connecting to GCP.  S2S between Sophos and GCP is working fine.  The GCP subnet is added in Sophos and is connected directly from XG.  We are using TunnelBlick as our VPN Client to connect to XG.  Once connected, we can see the route has been created.  As you can see from netstat below, we have a CIDR range of 10.100.10/24 route for testing.  

    The client machine still not able to ping any of the network in 10.100.10/24.  We need to ssh into one of our 10.11/22 machine, then only we can connect to 10.100.10/24.

    Client Machine connected with VPN below:-

    $ netstat -nr

Internet:
Destination        Gateway            Flags        Netif Expire
default            172.100.18.1       UGSc           en0
10.11/22           10.81.234.5        UGSc         utun2
10.12/23           10.81.234.5        UGSc         utun2
10.81.234/24       10.81.234.22       UGSc         utun2
10.81.234.22       10.81.234.22       UH           utun2
10.81.235/24       10.81.234.5        UGSc         utun2
10.81.236/24       10.81.234.5        UGSc         utun2
10.100.4/22        10.81.234.5        UGSc         utun2
10.100.10/24       10.81.234.5        UGSc         utun2
10.128/20          10.81.234.5        UGSc         utun2