Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 1605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG IPsec port forwarding

Emil Naklicki

Hello,

I have A Sophos XG at work and a Sophos XG at home. Recently I have acquired a Meraki MX64 that I am running behind my Sophos XG at home. I have been tasked with setting up my work XG with the Meraki MX in a site2site tunnel (for a future deployment). I have the tunnel partially up to where I can connect back to work through a host on the Meraki side without issue. However, I cannot do the opposite. I believe the reason being is that the work XG is trying to pair an IPsec tunnel to my home XG.

I have created a DNAT and access rule to the Meraki for IKE, ESP and even l2pt to point to the Meraki. However, I do not see these rules being hit what so ever in NAT or access rules. I have other NATs to my file server working fine so I'm not sure if I'm missing some here?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FormerMember

    I gave that a shot but no luck. I have the tunnel working one way (Meraki network back to Work network). I did a tracert from a work computer back to my Meraki inside network (10.241.0.0/16) and I got a loop going back and forth between my firewall and switch. I do have a static route on my work firewall 10.0.0.0/8 pointing back to my switch. Is it possible that my static route is taking over and pushing packets back to my switch even though I have a Policy IPsec site to site pointing to 10.241.0.0/16? If so can I create a static route specific to 10.241.0.0 destined traffic even though this is a Policy based IPsec tunnel and not route based?

  • FormerMember
    +1 FormerMember in reply to Emil Naklicki

    Hi ,

    If the remote network overlaps with the static route, can you try to create a more specific static route? or change the route precedence and set VPN routes precedence at the top? 

    You can check the route precedence from the console with the following command: system route_precedence show

    For SFOS version 17:
    console> system route_precedence set static policyroute vpn

    For SFOS version 18:
    console> system route_precedence set static sdwan_policyroute vpn

    Thanks,

  • 0 in reply to FormerMember

    That would have most likely worked, thank you. I instead broke up my routing statements into smaller segments so that the remote network was no longer included. Which did fix my issue. It turns out I didn't even require port forwarding IPsec.