Sophos XG Site-to-Site IPSec Opensense and SSL-VPN Client Traffic

Question

Hello, 
 
 we've a new Sophos XG115 in our office. 
 I've configured a SSL VPN Client with the IP Range 10.7.0.0/24 to connect via SSL client to the office which is working fine. 
 Also we have a Site-to-Site IPSec VPN to our cloud opensense firewall with is connected and up. 
 But if someone frome the SSL VPN want to connect to the cloud firewall there is no traffic possible. 
 I've set the local ip in the IPSec and the SSL VPN IP both being routed through the IPSec tunnel. 
 Also the SSL VPN had the remote network configured as allowed network resource. 
 As Firewall rule on the sophos i've done: 
 Sourezone: VPN 
 Source-Network: SSL VPN Subnet & LAN Subnet 
 Destinationzone: VPN 
 Destinationnetwork: Subnet of the Opensense 
 But i can't get any traffic from SSL to the IPSec tunnel. 
 
 Any suggestions?

FormerMember · Accepted Answer

Hi Timo, Thanks for reaching out to Sophos Community. From the description, The configuration seems proper. However, verify it with this article: https://support.sophos.com/support/s/article/KB-000038320?language=en_US Then check the packet capture on GUI to verify the traffic flow. Navigate to Diagnostics > Packet Capture > Configure > Enter BPF String > Host x.x.x.x and proto 1 (replace x.x.x.x with the IP you're trying to ping). Save the capture, Enable and run a Ping from source device connected via SSL VPN. Refresh and check whether XG sends the traffic hitting from SSL VPN tunnel (tun0) to IPSEC tunnel (ipsec0). Make sure to configure openSense with the SSL VPN network range in the remote subnets under IPSec VPN.

Timo Bruns · Answer

HI DeveshM, 
 i found the problem. It was a small miss configuration on the openSense firewall. 
 Some incoming IPSec Ports was blocked. 
 After I did the changes on the opensense I got access between all VPN networks. 
 Thanks and greetings 
 imo

Sophos XG Site-to-Site IPSec Opensense and SSL-VPN Client Traffic

Top Replies