Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1345 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG VMs IPsec tunnel established but hosts behind the firewalls can't ping each other.

BongBong

Hello Teams,

My very first post regarding issue I am having with the home lab I built.

Running 2 identical Sophos VMs on Hyper-V + few VMs each behind the XGs

I was able to successfully configured IPsec tunnel between 2 XGs successful

I can ping from host at one end to the other end XG WAN IP and LAN IP but I can't ping the host behind the LAN Interface if the other XG.

Ref. image below:
e.g. Win10_Powershell PC on the left can ping > SophosXG05 > 10.0.0.1 (Internet) > 10.0.0.45 (SophosXGHome WAN) > 172.16.16.16 but not 172.16.16.50 (win 10 PC)

I don't know what am I missing here.........




This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey , Welcome to Sophos Community.

    Make sure that the Sophos XG-Home (172.16.16.16) has the VPN to LAN rule configured to allow inbound traffic from IPSEC VPN to the Firewall's LAN.

    Also at times, the Windows firewall blocks ICMP packets,. So ensure that you're able to ping 172.16.16.50 from any other machine in the same LAN

Reply
  • FormerMember
    0 FormerMember

    Hey , Welcome to Sophos Community.

    Make sure that the Sophos XG-Home (172.16.16.16) has the VPN to LAN rule configured to allow inbound traffic from IPSEC VPN to the Firewall's LAN.

    Also at times, the Windows firewall blocks ICMP packets,. So ensure that you're able to ping 172.16.16.50 from any other machine in the same LAN

Children
  • 0 in reply to FormerMember

    Hello I did create the rule for VPN to LAN and LAN to VPN on XG @ 172.16.16.16
    I have attached the rule that I created

    Also I can confirm that I can ping the host to host behind the XG to each other as well.

    Thanks in advanced!!

  • FormerMember
    0 FormerMember in reply to BongBong

    Alright. The rule seems proper. Take a packet capture on both firewalls (Diagnostics > Packet Capture) 

    • In the BPF String --> host 172.16.16.50 and proto 1
    • Make sure to enable the capture

    Just send one ping packet -> "ping 172.16.16.50 -n 1" and refresh the capture on both the Firewall and share those snapshots. 

  • 0 in reply to BongBong

    Ideally, the configuration of the firewall rules should fix this. 

    Please ensure that IPSec VPN tunnel should be established and LAN-VPN and VPN-LAN firewall rule configured properly at both the firewall end. 

    What is the firmware version? 

    Please share the output of  "ipsec statusall" from both firewalls from the advance console. 

    Please share the output of "tcpdump", "drppkt" from both firewalls from the advance console for the destination IP Address. 

    Let's say that if you are ping destination host 172.16.16.50 from Source host 172.16.10.50 

    Please capture "tcpdump" and "drppkt" for destination host 172.16.16.50 on firewall Sophos XG85

    capturing tcpdump / drppkt using the following link.

    https://support.sophos.com/support/s/article/KB-000037007?language=en_US