Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG IPSEC Site-to-Site Nat

Maurilio Senra1

Hi

I'm having a hard time trying to configure a VPN Site-to-Site with the head office. We have the same local network. There we have a Fortgate. We were able to sucessfully connect the VPN. From there is possible to ping and acess my network but, from here, were the Sophos XG is (18.0.4 MR-4), i'm unable to ping the head office.

I've followed the KB Sophos XG Firewall: How to apply NAT over a Site-to-Site IPsec VPN connection and this documention about VPNs between Sophos and Fortgate Establish IPsec VPN Connection Between Sophos and Fortigate with IKEv2

The firewall rule were configured as the documention shows. 


Here's the tunnel configuration.

Despite our best efforts the traffic does not flow through the VPN. It seems flowing through the WAN. I've read some similar topics, but I still haven't figured out what's wrong. Can someone help us understand what is missing? 



This thread was automatically locked due to age.
  • +1

    Hello there,

    Thank you for contacting the Sophos Community.

    Make sure the Original Subnet is your Local XG subnet.

    Just to confirm are you trying to Ping a Host IP within the Remote Subnet (HRTN_NATed_LAN) IP? 

    So for example, if the subnet that is overlapping is 172.16.0.0/24 and the Remote Subnet HRTN_NATed_LAN is 192.168.17.0/24m you should be pining 192.168.17.x

    If you are doing this and the Ping is going out the WAN, try to do from the Advanced Shell a

    #ip route get 192.168.17.X (substitute for the IP you are trying to PING in the Remote Subnet)

    Make sure the SA between the Local Subnet and Remote Subnet is green.

    Do a Packet capture in the GUI of the XG to confirm where the traffic is going.

    Regards,

  • 0 in reply to emmosophos

    Thanks for the answer. I was ping the nated IP. But, thankfully, things were solved. It appears the problem were in the Fortigate side as the administrator from the head office just told me "Try now. It sould work". And it did. Sorry for not knowing what was changed there. The guy is really busy (Covid-19 chaos in Brazil related things. Helth care...). It could be helpfull to someelse with similar problems.

  • 0 in reply to Maurilio Senra1

    Hello Maurilio,

    Thank you for the follow-up and mention where the issue was, have a good rest of your day and stay safe.

    Regards,