Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 33 replies
  • Subscribers 29 subscribers
  • Views 2754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Traffic gets routed in full-tunnel IPsec VPN

Tobias Kuhnert

hi there,

since we upgraded our XG to 18.0.4 we have an issue with the traffic (e.g. DNS / icmp) originated from the firewall itself.

We have a full-tunnel IPsec VPN configured for all client subnets to our data center and it seems that routing for the firewall itself is broken now.

SG230_WP02_SFOS 18.0.4 MR-4# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

------------

SG230_WP02_SFOS 18.0.4 MR-4# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 x.x.x.x (IP of Remote VPN-Gateway) 11.644 ms * *
2 * * *
3 * x.x.x.x (IP of Remote VPN-Gateway) 11.576 ms 37.854 ms

------------

SG230_WP02_SFOS 18.0.4 MR-4# nslookup www.google.de
;; connection timed out; no servers could be reached

------------

I know there is a KB article (Sophos XG Firewall: How to Route Sophos Firewall Initiated Traffic Through an IPSec VPN tunnel), but my issue is the exact opposit.
i do not have any rules like described configured.
------------

edit: Output of route lookup:

Route lookup Result
8.8.8.8 is located on the ipsec0
8.8.8.8 is not behind a router.

------------

Anybody had similar issues or any idea how to solve this?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi  : Thank you for reaching out to Sophos community team. What is the route precedence set over XG as of now? 

    The default route precedence in 18.0 is set to static, SD-WAN policy routes, and VPN. Can you please check the below KBA for reference steps and set the route precedence to it's default V18 settings, if it not set.
     
    https://support.sophos.com/support/s/article/KB-000037964?language=en_US

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringRoutePrecedence.html

    Note: You may test it in odd hours for safer side to avoid any outage or issue.

  • 0 in reply to Vishal_R

    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

  • 0 in reply to LHerzog

    i get your point, but why would i need to configure NAT rules for firewall initiated traffic.

    we had those "sys-traffic-nat" CLI commands for that earlier - are they obsolet now?

    regarding the packet capture - why is the firewall even initiating the traffic from the LAN interface when the shortest way would be to iniate from the WAN interface.

    btw:

    of course i do have a default NAT rule:

  • 0 in reply to LHerzog

    I did run the same ip commands as you. they look different:

    SG230_WP02_SFOS 18.0.4 MR-4# ip route get 8.8.8.8
    8.8.8.8 dev ipsec0 table 220 src 10.64.0.1 uid 0
    cache


    SG230_WP02_SFOS 18.0.4 MR-4# ip rule list
    0: from all lookup local
    50: from all lookup main
    51: from all fwmark 0x4001 lookup gw1
    52: from all fwmark 0x200 lookup routeipsec0
    150: from all fwmark 0x8001 lookup gw1
    151: from 172.16.64.148 lookup wanlink1
    220: from all iif lo lookup 220
    221: from all lookup multilink
    32766: from all lookup main
    32767: from all lookup default


    SG230_WP02_SFOS 18.0.4 MR-4# ip route show table 0
    default via 172.16.64.145 dev PortE1 table wanlink1 proto static src 172.16.64.148
    prohibit default table wanlink1 proto static metric 1
    default via 172.16.64.145 dev PortE1 table gw1 proto static
    prohibit default table gw1 proto static metric 1
    default dev ipsec0 table routeipsec0 scope link
    default via 172.16.64.145 dev PortE1 table multilink proto static
    default dev ipsec0 table 220 scope link src 10.64.0.1 <-maybe this is the issue?

  • 0 in reply to Tobias Kuhnert

    So you have a NAT route. Thats good.

    what does  

    ip route show table wanlink1

    show you?

    And what happens, if you edit and re-safe the config of PortE1 without change? Be aware of a VPN reconnect.

  • 0 in reply to LHerzog

    "default dev ipsec0 table 220 scope link src 10.64.0.1 <-maybe this is the issue?"

    that is the cause of your issue

    Edit: but this is only for table 220 - the IPSec Networks (ip route show table 220 (don't post the result))

  • 0 in reply to LHerzog

    SG230_WP02_SFOS 18.0.4 MR-4# ip route show table wanlink1
    default via 172.16.64.145 dev PortE1 proto static src 172.16.64.148
    prohibit default proto static metric 1

    re-saving the interface configuration had no effect. traffic is still routed into the tunnel.

  • 0 in reply to LHerzog

    i think there is nothing sensitive in it:
    SG230_WP02_SFOS 18.0.4 MR-4# ip route show table 220
    default dev ipsec0 scope link src 10.64.0.1

    any thoughts what to check or try next?

  • 0 in reply to Tobias Kuhnert

    220 should print out all remote networks of your IPSec tunnel. But maybe in your case you do not need access from there to remote networks (e.g. HQ networks), only the other way around. So it may be empty.

    The only difference in your config I could find is the routin precedence:

    Default routing Precedence:
    1.  SD-WAN policy routes
    2.  VPN routes
    3.  Static routes

    yours:
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    We have no SD-WANs

    We have VPN routes (but only to the 220 networks, no WAN routes)

    -> system ipsec_route show

    You say your static routes are empty. And so are ours.

    It's worth a try to change that precedence.

    Maybe ca have a review on your NAT/SNAT config?

  • 0 in reply to LHerzog

    and please be sure that you don't have bad SNAT here:

    console> show advanced-firewall

    ...

    NAT policy for system originated traffic
    ---------------------
    Destination Network Destination Netmask Interface SNAT IP

    interesting stuff here

  • 0 in reply to LHerzog

    I am not sure right now, which will be applied first. If you change the Traffic via a NAT Rule, if the traffic will hit the IPsec0 Interface or if the routing decision will be applied after the NAT. I assume its the NAT part. Having said, this is rather a problematic construct, as the firewall is doing what you tell the firewall to do. It NATs the traffic to ANY into the tunnel. 

    I would assume, you should think about the setup in the first place, if remote subnet should be ANY and cannot be more specific? 

  • 0 in reply to LuCar Toni

    one thing to point out: We do not apply NAT to any traffic in the tunnel.

    we have a local subnet 10.64.0.0/21 and the remote subnet is any or 0.0.0.0/0 - no NAT applied

    we need the full tunnel because web-security is currently applied in the HQ.

    the only NAT rule i have is from LAN to WAN zone for direct internet access if the tunnel fails.

Reply
  • 0 in reply to LuCar Toni

    one thing to point out: We do not apply NAT to any traffic in the tunnel.

    we have a local subnet 10.64.0.0/21 and the remote subnet is any or 0.0.0.0/0 - no NAT applied

    we need the full tunnel because web-security is currently applied in the HQ.

    the only NAT rule i have is from LAN to WAN zone for direct internet access if the tunnel fails.

Children
No Data