Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1386 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No traffic over IPSec S2S with NAT applied

Dave Uzeel

Hi all,

i followed below guide for a S2S tunnel with NAT applied but only one 1 side.

Sophos XG Firewall: How to apply NAT over a Site-to-Site IPsec VPN connection

I cant seem to get this working properly.
When i run packet capture and start a ping from the internal server to the other side ( it does not enter the tunnel).

Below some details:

Subnets are changed for privacy reasons

Details XG (applied NAT):

 

  • Local subnet: 192.168.82.0/24 (in use on other side)
  • Local IP: 192.168.82.10/24 (other side is connecting to this host)
  • Local NATed subnet: 10.144.11.0 (this network is suggested by the other party)

 

Details SG:

 

  • Local subnets: 10.248.45.0/24 – 10.248.46.0/24 – 10.248.47.0/24
  • Local IP: 10.248.46.17 (this ip connects to 192.168.82.10)

Beside the tunnel and the firewall rule do i need to create a NAT rule so the internal address (192.168.82.10) gets translated to (10.144.11.x)?

I am not sure if this is the way to do it on the XG.

The tunnel is up and should work.

Thanks in advance!



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    On the VPN "Local Subnet" would be the Fake IP the other side wants to see you as, in this case, it should be 10.144.11.0/24

    When you select NAT in the IPSec, the Translated Subnet under Original Subnet you would select 192.168.82.0/24

    When Pinging the other side you would Ping an IP of the subnet you put under Remote Subnet in the VPN configuration.

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    Thanks for the reply but traffic coming from 192.168.82.0/24 does not get routed through the tunnel for the subnets in the remote subnet.

    When i run a packet capture and start pinging the remote subnet it does not leave the tunnel but stays in the local interface.

    I have 2 more tunnels and they work like expected.

    When i ping a host on the other side i can see the traffic going out the tunnel and coming back.

    Those 2 tunnels are IKEv2 and the one that is not working is IKEv1, not sure if this can be issue but i think not because on another sophos xg i have 6 tunnels (mixed ike) and they all work like expected.

    Seems more like a routing issue but i am not sure.
    Routes are created automatically when establishing the tunnel right?

    This is the only tunnel i have with nat applied and it doesnt work.

    Do you have some tips to troubleshoot?

  • 0 in reply to Dave Uzeel

    Hello Dave,

    Thank you for the follow-up.

    I didn't fully understand your reply, do you refer to traffic coming from the other coming into your 192.168.82.0/24?

    Yes, routes are automatically created, you can check by using # ip route get x.x.x.x (x.x.xx is the IP of the host you want to get to)

    IKEv2 and IKEv1 shouldn't interfere, but since you are using IKEv2 might be good to also use in this tunnel IKEv2.

    It’s also my understanding the other end of the tunnel is a Sophos UTM?

    Regards,

  • 0 in reply to emmosophos

    Sorry for the confusion but when I ping the other end and run a packet capture the ping does not go through the ipsec0 interface but stays in port2 (Lan itf) and does not get forwarded. 

    When I ping the other end of another tunnel without nat applied it goes through the ipsec0 itf.

    That's why I think it is a routing issue.

    Other end is an UTM so Ikev2 is not an option. 

  • 0 in reply to Dave Uzeel

    Hello Dave,

    Thank you for the clarification.

    Did you get a change to tun the command # ip route get x.x.x.x

    What is the output?

    Regards,

  • 0 in reply to emmosophos

    ran the command, below the result:

    10.248.46.17 dev ipsec0 table 220 src 169.254.234.5 uid 0
    cache

    below the result of an ip that is also connected through s2s

    192.168.6.51 dev ipsec0 table 220 src 192.168.82.254 uid 0
    cache

    why is the source an APIPA address?

  • 0 in reply to Dave Uzeel

    Hello Dave,

    IPsec0 has by default a Pipa address, you can see this by doing an ifconfig.

    If 10.248.46.17 is part of the subnet set under Remote Subnet on the VPN Configuration, please open a support ticket to get this investigated further.

    Also, check that you don't have any bypass Firewall with this associated subnet by running the following command from the console

    console> show advanced-firewall

    Regards,