Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 1605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG IPsec port forwarding

Emil Naklicki

Hello,

I have A Sophos XG at work and a Sophos XG at home. Recently I have acquired a Meraki MX64 that I am running behind my Sophos XG at home. I have been tasked with setting up my work XG with the Meraki MX in a site2site tunnel (for a future deployment). I have the tunnel partially up to where I can connect back to work through a host on the Meraki side without issue. However, I cannot do the opposite. I believe the reason being is that the work XG is trying to pair an IPsec tunnel to my home XG.

I have created a DNAT and access rule to the Meraki for IKE, ESP and even l2pt to point to the Meraki. However, I do not see these rules being hit what so ever in NAT or access rules. I have other NATs to my file server working fine so I'm not sure if I'm missing some here?



This thread was automatically locked due to age.
Parents Reply Children
  • FormerMember
    0 FormerMember in reply to Emil Naklicki

    Hi ,

    Did you configure the matching firewall rule for the DNAT tule? If yes, can you try to change the inbound interface to Any in matching criteria for testing and see if that helps. 

    Thanks,

  • 0 in reply to FormerMember

    I gave that a shot but no luck. I have the tunnel working one way (Meraki network back to Work network). I did a tracert from a work computer back to my Meraki inside network (10.241.0.0/16) and I got a loop going back and forth between my firewall and switch. I do have a static route on my work firewall 10.0.0.0/8 pointing back to my switch. Is it possible that my static route is taking over and pushing packets back to my switch even though I have a Policy IPsec site to site pointing to 10.241.0.0/16? If so can I create a static route specific to 10.241.0.0 destined traffic even though this is a Policy based IPsec tunnel and not route based?

  • FormerMember
    +1 FormerMember in reply to Emil Naklicki

    Hi ,

    If the remote network overlaps with the static route, can you try to create a more specific static route? or change the route precedence and set VPN routes precedence at the top? 

    You can check the route precedence from the console with the following command: system route_precedence show

    For SFOS version 17:
    console> system route_precedence set static policyroute vpn

    For SFOS version 18:
    console> system route_precedence set static sdwan_policyroute vpn

    Thanks,

  • 0 in reply to FormerMember

    That would have most likely worked, thank you. I instead broke up my routing statements into smaller segments so that the remote network was no longer included. Which did fix my issue. It turns out I didn't even require port forwarding IPsec.