Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I have problem to connect Several VLANS from one Remote site with XG Firewal to several VLANS to a Central site with Pfsense Firewall

Atilio Servian

I Have a Site A (remote) using an  PfSese firewall with several Vlans.... The Central Site  is also using a PfSense as Firewall  ...every site have several VLANS both with  IP Public. 

The VPN is already  working but they need to replace the PfSense at remote site  for a XG Firewall in order to connect with the  Pfsense in Central site.

Both sites have  Public IP address and  use a  PPPoE connection from a Internet provider  with a vlan in the WAN port with a vlan ID  ... 

The image shows the remote site configuration (working) and we wanna replace this  PfSense with a XG Firewall (you can see there are several Vlans from REmote Sites connected to  Central Site

Trying to connect  a  VLAN from A (192.168.31x)  to several Vlans from B (192.168.10.x,   192.168.20.x  192.168.3.x)as the picture above  in  one IPsec connection with one IPsec Policy   i just can connect one VLAN from A to one VLAN from B   

In site A I declare the VLAN  needed from site A  remote  (XG firewall  )  to connect to the Vlans in site B Central (Pfsense). I also include the Firewall rules to in and out the traffic to the Central site 

The configurarion is as follow

The XG Firewall  connect to the remote site Pfsense and the result show only one connection

I already try several ways to connects multiple vlans between Xg Firewall and another XG Firewall on a Laboratory  using the same configuration and i have no problems also  with more Vlans at both sides

The PfSense use several Vlans as remote and local and as I mentioned the VPN is already working and the need to user one XG firewall at the remote site ...

Since the one VLAN  from remote site  (XG Firewaal)  is connected to the a  Vlan in central Site .... i supposed the  configuration for IP's F1 and F2  and PSK are corect but i can't get all vlans connected ... 

Where can the be the error  ??



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community! 

    The configuration looks fine on your firewall. It looks like you configured a policy-based IPsec VPN on the XG firewall. At the moment, only one network on the peer firewall was able to establish the connection. Can you confirm the connection type configured on the peer firewall? Is it a route-based VPN? If the peer firewall supports route-based VPN, try to configure route-based VPN on XG as well, it’ll be much easier to manage. 

    Check out the document for more info: Create a route-based VPN

    Thanks, 

  • 0 in reply to FormerMember

    Dear  Harsh Patel ....  yes  the PfSense use Policy Base configuration ....  As i was searching the problem is to generate multiples  SA for  Phase 2 (one for every network   )

    Can anybody indicate how to allow more  SA ??  (apparently deactivating the PFS (DH Group in Phase 2).... but no idea if this will work o what else i have to do to acchive a connection as the first image)

    Do Sophos support this type off scenarios wiith multiples remote and local networks  (multiple Phase 2)  ??

  • FormerMember
    0 FormerMember in reply to Atilio Servian

    Hi ,

    Yes, the XG firewall supports multiple SA(Local and Remote). This issue looks to be on the peer firewall configuration. Does it support multiple SA? 

    Thanks,

  • +1 in reply to FormerMember

    Dear  Harsh

    Yes  the peer FW  support  multiple SA ... please remember the VPN between two  PfSense exists and is working .... we wanna replace  one side (remote site) with XG  FW and i can't make it work againts the Central  Pfsense site ....

    What can be the problem?? how to make work a XG firewall with the Pfsense at the other site ??  something to change or configure to test the connection ? 

Reply
  • +1 in reply to FormerMember

    Dear  Harsh

    Yes  the peer FW  support  multiple SA ... please remember the VPN between two  PfSense exists and is working .... we wanna replace  one side (remote site) with XG  FW and i can't make it work againts the Central  Pfsense site ....

    What can be the problem?? how to make work a XG firewall with the Pfsense at the other site ??  something to change or configure to test the connection ? 

Children
  • FormerMember
    0 FormerMember in reply to Atilio Servian

    Hi ,

    If it's not the configuration issue, collect the strongswan logs in debugging while re-connecting the IPsec tunnel and send it to me via personal message. 

    • Steps to put the strongswan service in debug:
      • SSH into the XG firewall by following this KBA: Sophos XG Firewall: How to SSH to the firewall using PuTTY utility
        • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
        • Select option 5 Device Management.
        • Select option 3 Advanced Shell.
      • To put the strongswan service in debug, type the following command: service strongswan:debug -ds nosync
        • Output
          • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service strongswan:debug -ds nosync
            200 OK
      • Run the following command to check the status of the service: service -S | grep strongswan
        • Output
          • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service -S | grep strongswan
            strongswan RUNNING,DEBUG
      • Note: Run the same command to remove the service from the debug.
    • To check the live logs run the following command from Advanced Shell: tail -f /log/strongswan.log
    • The less command allows you to parse through the static log files. You can also match keywords within the logs by entering /<keyword or string>
      • less /log/strongswan.log
    • The grep command applies a search filter for the keyword within the logs.
      • grep ‘<Keyword/String>’ /log/strongswan.log 
      • You could filter logs with the tunnel name if there are multiple IPsec tunnels.

    Thanks,