Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 587 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No hits on firewall rule for connections from Sophos Connect to VPN zone

kerobra

I try to connect to a customer's XG firewall with Sophos Connect IPsec. That XG is connected to another XG with default IKEv2 Profile via Site-to-Site VPN.

In the SCC configuration I added the first XG's LAN range as well as the second XG's LAN range. The S2S tunnel has the IPSEC RAS range in it's configuration. Even tried it with "tunnel all". I can't reach the second XG's LAN network and the firewall rule for that connections doesn't get a single hit on the first XG.

I set a "VPN - VPN Any" rule - since I normally work with more specific rules but no luck with that, too.
If I use the Sophos SSL-client instead that connection to the seconds XG's LAN is no problem.

Is that a SCC specific problem or what am I thinking wrong here?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Kerobra,

    Thank you for contacting the Sophos Community.

    So in the IPsec tunnel you have the SCC IP range, and in the SSC Allowed Networks you have the Other end of the tunnel IP range?

    Does the SA for the SCC IP range in both XGs is up?

    Try doing a Tcpdump from the XG1 to see where does the traffic goes when you are Pinging the Lan IP of the other XG.

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    I already wrote to H_Patel who contacted me via PM. I have absolutely no idea what went wrong yesterday but today everything is fine. The packets now come from ipsec0 and leave FW1 through the WAN port where the site-to-site connection is located. Yesterday the exact same test did not produce any hit in the FW log and my ping test timed out.

    Since I simply can't accept things like this I did a bit more reseaching. Nothing was changed on the firewall side, only in the SCX with Sophos Connect Admin. When I select "Tunnel All" I cannot reach the network behind firewall 2. If I only configure both LAN networks I can.

    I guess yesterday my failure first was on the firewall ruleset side (IPSEC RAS network not on remote firewall).
    I then changed the SCX to "Tunnel All" and after that I fixed the firewall ruleset. Still no luck with reaching the remote LAN.

    Today I freshly imported the SCX from the firewall where only the two LAN networks are included.
    So the test today was changed a bit compared to the last one yesterday.

    If I select "Tunnel All" the 192.168.100.0/24 network is not reachable anymore, only the 192.168.123.0/24 network.
    If I exchange "Tunnel All" to the two networks both are reachable.

    From the firewall's perspective this makes absolutely no sense to me.

  • 0 in reply to kerobra

    Here is a quick overview of the two firewalls and networks.

Reply Children
No Data