Routing issues with IPsec (Remote Access)

Hi Daniel Hargrove: Thanks for your reaching out to the Sophos community team. Please ensure PING on VPN Zone is enabled and you may verify the same from System > Administration > Device Access > VPN > PING.

Apart from the above, you may validate the TCPDUMP and drop on XG during generating PING from the end machine ( Connected over Remote access VPN) and may confirm more.

Sophos Firewall: Monitor traffic using Packet Capture Utility from GUI & CLI:

https://support.sophos.com/support/s/article/KB-000035761?language=en_US

https://support.sophos.com/support/s/article/KB-000035939?language=en_US

Sophos Firewall: Monitor dropped packets using CLI:

https://support.sophos.com/support/s/article/KB-000036858?language=en_US

Hi and many thanks for coming back to me. 

I have checked and Ping is allowed on the VPN zone. It looks like it is set as default. 

Using the Diagnostics > Packet Capture I can see the following when trying to ping 192.168.12.200 

Line 1 :

In Interface - ipsec0

Out Interface - Port 5

Source IP - 10.10.10.10

Destination IP - 192.168.12.200 

Packet Type - ICMP

Status - Forwarding  

Line 2 : 

In Interface - ipsec0

Source IP - 10.10.10.10

Destination IP - 192.168.12.200 

Packet Type - ICMP

Status - Incoming  

After that it goes quiet. 

Is there anything I need to add to the firewall rules to let the ping result go back out to the client device? 

Many thanks, Dan 

Hi and many thanks for coming back to me. 

I have checked and Ping is allowed on the VPN zone. It looks like it is set as default. 

Using the Diagnostics > Packet Capture I can see the following when trying to ping 192.168.12.200 

Line 1 :

In Interface - ipsec0

Out Interface - Port 5

Source IP - 10.10.10.10

Destination IP - 192.168.12.200 

Packet Type - ICMP

Status - Forwarding  

Line 2 : 

In Interface - ipsec0

Source IP - 10.10.10.10

Destination IP - 192.168.12.200 

Packet Type - ICMP

Status - Incoming  

After that it goes quiet. 

Is there anything I need to add to the firewall rules to let the ping result go back out to the client device? 

Many thanks, Dan 

Hi Daniel Hargrove: If you check PING to firewall IP itself, is it successful? 

Nope :( 

I did see an issue with the Out Interface when I did the Packet Capture but I have since resolved (changed IP range from 10.10.10.0 which was used elsewehre to 176.16.16.0) and I am seeing the same.

On the package capture I can see something trying to happen but I am not seeing it at the remote end. 

Any further thoughts? 

Many thanks, Dan 

FIGURED IT! - It seems I had duplicate entries in the IP Host. Once I chose a different subnet and changed the settings where required it came to life. Many thanks for your help and guidance. Dan