Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 866 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GCP and Sophos XG Firewall VPN Established but cannot ping

Joseph Lim

We have recently configure our onPrem Sophos XG Firewall to connect to GCP Cloud VPN via Site-to-Site IPSec.  We managed to get our VPN established.  But we cannot get both VM from 2 ends ping each other although ICMP has been enabled.  

Below is our VPN tunnel.  

1. 203.xx.xx.xx is our India region

2.  99.xx.xx.xx is our US region

3.  34.105.24.193 is another GCP VPN test.

All VPN has been established.  Tunnels and subnets has been created.  We have GCP firewall open for all ports to all instances.  This is the result.

  • GCP VPN (uswest) (34.105.24.193).  <---> GCP VPN (asia) (34.84.53.162).   = VM created in both VPN subnet can ping each other.  I assume there is no issue in GCP VPN Configuration.  uswest subnet 172.100.x.x and asia subnet 10.100.x.x

 

  • Sophos XG India VPN (203.xx.xx.xx).  <---> GCP VPN (asia) (34.84.53.162).   = VM created in both VPN CANNOT ping each other.  

  • Sophos XG USA VPN  (99.xx.xx.xx).  <---> GCP VPN (asia)  (34.84.53.162).   = VM created in both VPN CANNOT ping each other.  

Since the first approach works, therefore, I believe some settings  is not correctly setup in Sophos XG firewall.  Can you help provide some guidance on which area we should focus ?  



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Hi Emmanuel,

    I will close this issue and open another regarding the P2S with Sophos connecting to GCP.  S2S between Sophos and GCP is working fine.  The GCP subnet is added in Sophos and is connected directly from XG.  We are using TunnelBlick as our VPN Client to connect to XG.  Once connected, we can see the route has been created.  As you can see from netstat below, we have a CIDR range of 10.100.10/24 route for testing.  

    The client machine still not able to ping any of the network in 10.100.10/24.  We need to ssh into one of our 10.11/22 machine, then only we can connect to 10.100.10/24.

    Client Machine connected with VPN below:-

    $ netstat -nr

Internet:
Destination        Gateway            Flags        Netif Expire
default            172.100.18.1       UGSc           en0
10.11/22           10.81.234.5        UGSc         utun2
10.12/23           10.81.234.5        UGSc         utun2
10.81.234/24       10.81.234.22       UGSc         utun2
10.81.234.22       10.81.234.22       UH           utun2
10.81.235/24       10.81.234.5        UGSc         utun2
10.81.236/24       10.81.234.5        UGSc         utun2
10.100.4/22        10.81.234.5        UGSc         utun2
10.100.10/24       10.81.234.5        UGSc         utun2
10.128/20          10.81.234.5        UGSc         utun2