Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosXG incoming packet disappeared on established IPSec XFRM interface

David Y

[XG version: SFOS 18.5.1 MR-1-Build326]
[Remote OS: Ubuntu 20.04.1 w/ strongSwan U5.8.2, hosted on GCP]

I have setup a Ubuntu host on GCP for lab purpose and have setup a IPSec tunnel to connect back to the Sophos XG.
XG have public routable IP and Linux host also have public IP mapped.
On both side of the tunnel, an private IP was assigned to the XFRM interface.

The topology would look like below:

[xfrm1 on XG]     [Public IP @ XG]                  [Public IP @ GCP]  [GCP internal IP]  [xfrm1 on Ubuntu]
  10.0.0.1----------111.111.111.111-----[Internet]-----222.222.222.222-----10.x.x.x---------1.0.0.2

The tunnel seems to be established without issue, as swanctl -l on both side showing ESTABLISHED.

The strange part is, when I tried to Ping from either side, the packet from my CGP Ubuntu host was missing in tcpdump.

Ping from SophosXG to Ubuntu:

on SophosXG:
tcpdump -i xfrm1 -n
03:23:08.692795 xfrm1, OUT: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 45093, seq 19, length 64
03:23:09.692902 xfrm1, OUT: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 45093, seq 20, length 64

On Ubuntu:
sudo tcpdump -i xfrm1 -n
03:25:42.803355 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 45093, seq 173, length 64
03:25:42.803389 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 45093, seq 173, length 64
03:25:43.803357 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 45093, seq 174, length 64
03:25:43.803388 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 45093, seq 174, length 64

Ping from Ubuntu to SophosXG:

on Ubuntu:
sudo tcpdump -i xfrm1 -n
03:27:51.474675 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 10, seq 4, length 64
03:27:52.498671 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 10, seq 5, length 64

on SophosXG:
tcpdump -i xfrm1 -n
0 packets captured
0 packets received by filter
0 packets dropped by kernel

However, on XG's WAN, I do captured IPSec traffic which matched the pattern of the Ping (started and stopped same as the Ping, and one packet per second)

tcpdump -i Port1.10 -n host 222.222.222.222
03:34:07.363654 Port1.10, IN: IP 222.222.222.222.4500 > 111.111.111.111.4500: UDP-encap: ESP(spi=0xc...c,seq=0x19f), length 136
03:34:08.387619 Port1.10, IN: IP 222.222.222.222.4500 > 111.111.111.111.4500: UDP-encap: ESP(spi=0xc...c,seq=0x1a0), length 136
03:34:09.411584 Port1.10, IN: IP 222.222.222.222.4500 > 111.111.111.111.4500: UDP-encap: ESP(spi=0xc...c,seq=0x1a1), length 136
03:34:10.435858 Port1.10, IN: IP 222.222.222.222.4500 > 111.111.111.111.4500: UDP-encap: ESP(spi=0xc...c,seq=0x1a2), length 136

This behavior seems strange because any packet comes from the remote tunnel interface seems to be disappears on XG.

Ping on VPN zone was permitted, however this should not affect the output of tcpdump I guess...

Thanks all.



This thread was automatically locked due to age.
  • 0

    The issue here is, i could think the ubuntu is not doing a correct job in translating the packet back to the firewall. 

    In fact, i did not try a ubuntu client to build up a ipsec site to site tunnel myself, therefore i cannot comment, but it looks like the packet is not transferred correctly. 

  • 0 in reply to LuCar Toni

    Hi LiCar, Thanks for the input. To verify if the packet is transmitted correctly, I have done some more testing.

    By luck I guess, when I was trying to Ping with different size, I found that ping with >300 bytes (289 to be accurate) would succeed (magic~!),
    this leads me think that the problem maybe related to MTU or packet size, and one possible cause could be IPComp (compression) being enabled.

    So, after disabling IPComp or "Pass data in compressed format" on both side, bravo~ my pings are finally getting through!

    It seems that I need to give up this little trick trying to save some bandwidth on GCP...the 1GB quota on free tier Sob