Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 504 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Site-to-Site IPSec Opensense and SSL-VPN Client Traffic

Timo Bruns

Hello,

we've a new Sophos XG115 in our office.

I've configured a SSL VPN Client with the IP Range 10.7.0.0/24 to connect via SSL client to the office which is working fine.

Also we have a Site-to-Site IPSec VPN to our cloud opensense firewall with is connected and up.

But if someone frome the SSL VPN want to connect to the cloud firewall there is no traffic possible.

I've set the local ip in the IPSec and the SSL VPN IP both being routed through the IPSec tunnel.

Also the SSL VPN had the remote network configured as allowed network resource.

As Firewall rule on the sophos i've done:

Sourezone: VPN

Source-Network: SSL VPN Subnet & LAN Subnet

Destinationzone: VPN

Destinationnetwork: Subnet of the Opensense


But i can't get any traffic from SSL to the IPSec tunnel.

Any suggestions?



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi Timo, Thanks for reaching out to Sophos Community.

    From the description, The configuration seems proper. However, verify it with this article: https://support.sophos.com/support/s/article/KB-000038320?language=en_US

    Then check the packet capture on GUI to verify the traffic flow. 

    Navigate to Diagnostics > Packet Capture > Configure > Enter BPF String > Host x.x.x.x and proto 1 (replace x.x.x.x with the IP you're trying to ping).

    Save the capture, Enable and run a Ping from source device connected via SSL VPN. Refresh and check whether XG sends the traffic hitting from SSL VPN tunnel (tun0) to IPSEC tunnel (ipsec0).

    Make sure to configure openSense with the SSL VPN network range in the remote subnets under IPSec VPN.

  • +1

    HI DeveshM,

    i found the problem. It was a small miss configuration on the openSense firewall.

    Some incoming IPSec Ports was blocked.

    After I did the changes on the opensense I got access between all VPN networks.

    Thanks and greetings

    imo

  • FormerMember
    0 FormerMember in reply to Timo Bruns

    Great..! 

    Keep these diagnostics with you in case if you need help in the future :)