Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 1056 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN can´t reach network

Dennis Rode

Hey there,

I´ve configured an IPSec Remote Access.I can connect the Client to the VPN an I also able to ping the firewall over the VPN. But I´m not able to ping a Host in the VPN Network. I´m also able to reach the Internet over the VPN tunnel.

If I do an tcpdump I can see, the Host in the VPN Network is answering the ping from the client.

SFV2C4MSP_SO01_SFOS 18.0.4 MR-4# tcpdump 'host 172.19.20.100' and 'host 10.0.1.20'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:18:44.682144 ipsec0, IN: IP 172.19.20.100 > 10.0.1.20: ICMP echo request, id 1, seq 120, length 40
17:18:44.683509 Port1, OUT: IP 172.19.20.100 > 10.0.1.20: ICMP echo request, id 1, seq 120, length 40
17:18:44.684125 Port1, IN: IP 10.0.1.20 > 172.19.20.100: ICMP echo reply, id 1, seq 120, length 40
17:18:44.697183 Port2, OUT: IP 10.0.1.20 > 172.19.20.100: ICMP echo reply, id 1, seq 120, length 40
17:18:49.345167 ipsec0, IN: IP 172.19.20.100 > 10.0.1.20: ICMP echo request, id 1, seq 121, length 40
17:18:49.345426 Port1, OUT: IP 172.19.20.100 > 10.0.1.20: ICMP echo request, id 1, seq 121, length 40
17:18:49.345878 Port1, IN: IP 10.0.1.20 > 172.19.20.100: ICMP echo reply, id 1, seq 121, length 40
17:18:49.346036 Port2, OUT: IP 10.0.1.20 > 172.19.20.100: ICMP echo reply, id 1, seq 121, length 40
17:18:54.357964 ipsec0, IN: IP 172.19.20.100 > 10.0.1.20: ICMP echo request, id 1, seq 122, length 40
17:18:54.358213 Port1, OUT: IP 172.19.20.100 > 10.0.1.20: ICMP echo request, id 1, seq 122, length 40
17:18:54.358629 Port1, IN: IP 10.0.1.20 > 172.19.20.100: ICMP echo reply, id 1, seq 122, length 40
17:18:54.358853 Port2, OUT: IP 10.0.1.20 > 172.19.20.100: ICMP echo reply, id 1, seq 122, length 40

10.0.1.20 is a Server in the VPN Network which I can´t reach, 172.19.20.100 is the VPN Client.

On the Client I get a simple timeout message.

This is my VPN Config:

Routing table of the XG:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.1.0        *               255.255.255.0   U     0      0        0 Port1
10.0.2.0        *               255.255.255.0   U     0      0        0 Port3
10.0.3.0        *               255.255.255.0   U     0      0        0 Port4
10.0.4.0        *               255.255.255.0   U     0      0        0 Port5
10.0.222.0      *               255.255.255.0   U     0      0        0 tun0
10.100.100.0    *               255.255.255.0   U     0      0        0 xfrm5
10.100.203.0    *               255.255.255.252 U     0      0        0 xfrm9
10.200.201.0    *               255.255.255.252 U     0      0        0 xfrm8
10.255.0.0      *               255.255.255.0   U     0      0        0 GuestAP
<WAN-IP NET>      *               255.255.255.0   U     0      0        0 Port6
<WAN-IP NET>    *               255.255.255.0   U     0      0        0 Port2
192.168.1.0     10.100.100.1    255.255.255.0   UG    0      0        0 xfrm5
192.168.5.0     10.100.203.2    255.255.255.0   UG    0      0        0 xfrm9
192.168.104.0   10.100.100.1    255.255.255.0   UG    0      0        0 xfrm5

I also tried to create a any/any Firewall rule to check if I failed a firewall rule but I didn´t change anything,

Any Idea how I can get this Work? Thanks!

Dennis



This thread was automatically locked due to age.