Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 26 subscribers
  • Views 2017 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPsec Sophos XG - FritzBox 7590

AlexMax

Hi folks,

thanks to this post community.sophos.com/.../vpn---site-to-site-sophos-xg-v18x---fritzbox-v7-2x I was able to successfully establish a connection between my Sophos XG (software) SFOS 18.5.1 MR-1-Build326 and FritzBox 7590 OS 7.28


the vpn is active but I can't in any way reach the networks on both sides. I obviously created the appropriate rules on Sophos

SFVH_SO01_SFOS 18.5.1 MR-1-Build326# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
x.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
10.81.234.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0   (manually addedd)
192.168.124.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1

SFVH_SO01_SFOS 18.5.1 MR-1-Build326# ifconfig ipsec0
ipsec0 Link encap:Ethernet HWaddr 62:CA:75:EC:63:B6
inet addr:169.254.234.5 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::60ca:75ff:feec:63b6/64 Scope:Link
UP BROADCAST RUNNING NOARP MULTICAST MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

on the Fritzbox

enabled = yes;
editable = yes;
conn_type = conntype_out;
name = "xxxxx";
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = no;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = PublicIP;
remote_virtualip = 0.0.0.0;
keepalive_ip = 0.0.0.0;
localid {
fqdn = "PublicDNS";
}
remoteid {
ipaddr = PublicIP;
}
mode = phase1_mode_aggressive;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "xxxxx";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = yes;
phase2localid {
ipnet {
ipaddr = 192.168.123.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.124.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any 192.168.124.0 255.255.255.0";
} ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

I tried to follow this guide too but with no luck https://support.sophos.com/support/s/article/KB-000035835?language=en_US

community.sophos.com/.../ipsec-site-to-site-vpn-connects-but-no-traffic-passes

some idea?



This thread was automatically locked due to age.
  • 0

    when i try to reach a host on the fritzbox site i get this message

    SrcIP is the fritzbox public IP

  • 0

    Hello Alex,

    Thank you for contacting the Sophos Community.

    I would recommend you to do a GUI Packet Capture to confirm where the packets are going, however, based on the Firewall Rules, I see traffic is moving back and forth.

    Did you obscure the Src IP because it was showing your Public IP?

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    Yes the obscured IP is the public fritzbox IP (not static but with dynDNS service) of the other site.

    when I try to reach https from 192.168.124.200 to 192.168.123.253 match rule 11 automatically created by the ipsec connection

    but the problem appears to be invalid traffic, do you have any suggestions?

    thanks

    Alessandro

  • 0 in reply to AlexMax

    Hello Alex,

    I don't think your issue is with the Invalid Traffic, as that traffic isn’t destined to the tunnel.

    The traffic for the tunnel is flowing fine, I would check the other side as there is no reply from them.

    When doing the GUI Packet Capture only enter the following string host 192.168.123.253

    Regards,

  • 0 in reply to emmosophos

    Packet information

    443:

    Ethernet header
    Source MAC address:34:c9:3d:XX:XX:XX (PC MAC address)
    Destination MAC address: 64:62:66:XX:XX:XX (Port1 LAN MAC address)
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:192.168.124.200
    Destination IP address:192.168.123.253
    Protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 52 Bytes
    Identification:12784
    Fragment offset:16384
    Time to live: 127
    Checksum: 20413

    TCP Header:
    Source port: 55984
    Destination port: 443
    Flags: SYN
    Sequence number: 1997974908
    Acknowledgement number: 0
    Window: 64240
    Checksum: 63753

    ICMP:

    Ethernet header
    Source MAC address:34:c9:3d:XX:XX:XX (PC MAC address)
    Destination MAC address: 64:62:66:XX:XX:XX (Port1 LAN MAC address)
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:192.168.124.200
    Destination IP address:192.168.123.253
    Protocol: ICMP
    Header:20 Bytes
    Type of service: 0
    Total length: 60 Bytes
    Identification:12783
    Fragment offset:0
    Time to live: 127
    Checksum: 36795

    ICMP Header:
    Type: 8
    Code: 0
    Echo ID: 1
    Echo sequence: 4
    Gateway: 0
    Fragmentation MTU: 0
    Checksum: 19799

  • 0 in reply to AlexMax

    Hello Alex,

    Thank you, it all seems correct on the XG side, it looks like we aren’t seeing replies from 192.168.123.253

    Regards,

  • 0 in reply to emmosophos

    Hello Emmanuel,

    if I put the Fritzbox public IP in the packet capture I see this

    in your opinion it could be a problem that the site where the fritzbox is installed does not have a static IP but a DynDNS service? yet the VPN is stable


    look at the second line, shouldn't it match vpn traffic rule (ID 11) ?

  • +1

    I finally managed to get everything working correctly!!! The problem was inside the fritzbox's conf, doing the conf export, in the vpn.cfg section there are additional parts that must be eliminated, I recommend for those who have the same problem to use exactly the same parameters you find here community.sophos.com/.../vpn---site-to-site-sophos-xg-v18x---fritzbox-v7-2x

  • 0 in reply to AlexMax

    Hello Alex,

    Thank you for taking the time to update the community on what solved the issue.

    As per your question, no it wouldn't matter, you see the violation of the traffic because traffic from the Public IP  isn’t allowed within the tunnel SA.

    Regards,