Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 948 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG210 Firewall IPSec(Remote Access) VPN connected, but cannot access LAN

Petar Kirkovski

Hello,

We have a XG210 firewall and  an issue when IPSec VPN is connected, the local network that we want to connect to, can't be accessed. 

The configuration is the following:

- Two connections with preshared key are created, one through Sophos Connect Client and the other through IPSec connections menu, both can be be connected but both cant access the LAN;

-  Added two rules in the Firewall LAN (VLAN Subnet) -> VPN (Any) and VPN (Any) ->LAN ( VLAN Subnet )  both without NAT;

- The user is configured to have access to the VPN without any restrictions.

Connection 1:

Connection 2:

Firewall rule VPN to LAN

Firewall rule LAN to VPN

I saw in a post on the forums an option to add ipsec routes through the console with the command:

system ipsec_route add net xxx.xxx.xxx.0/255.255.255.0 tunnelname TunnelName

for both connections, but with this, when a VPN is connected,  the VLAN is dead.

When I try to ping the LAN from the VPN, on the firewall logs I can see the packages, they are allowed from the firewall rules, but they don't reach their destination.

Edit: Forgot to mention that everything is functioning as it should when connected with PPTP.

How can I fix this problem? The XG firmware version is: SFOS 17.5.12 MR-12

Reards,

Petar



This thread was automatically locked due to age.
Parents
  • +1

    Hello Petar,

    Thank you for contacting the Sophos Community.

    I am not sure if I understood your post correctly, basically, neither the Sophos Connect Client and the site-to-site VPN users are able to access a resource behind the XG?

    Unfortunately, since even the Private IPs are obscure I can't make much sense of what is happening.

    I would recommend you First check the Computer/Server they’re trying to reach doesn't have their Computer Firewall enabled, do a GUI Packet Capture with the IP of the destination computer. Then start the Ping from the Sophos Connect client and see if the traffic is arriving, if it is, then do a tcpdump from the Advanced Shell of the XG using the Port where the destination Computer connects to

    #tcpdump -eni Port1 host x.x.x.x and proto ICMP (Substitute x.x.x.x) for the IP of the Destination Computer, then Ping and see if you see the XG seeing the packets and sending out the correct interface.

    Most important make sure the subnets aren’t overlapping.

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    Thank you for your reply.

    To be more clear what is happening, what you have understood is correct, VPN users can't access the network behind the XG. That is happening when connecting with IPSec, with PPTP there are not problems at all, but we want to be able to connect with IPSec.

    After reading your comment I have failed to see the last line Slight smile When I have changed the subnet everything started working, but it's not very clear to me why. With PPTP with the same subnet addresses it is functional, but with IPSec, not. Anyway thank you for the answer it really helped me a lot.

    Regards,

    Petar

Reply
  • 0 in reply to emmosophos

    Hi Emmanuel,

    Thank you for your reply.

    To be more clear what is happening, what you have understood is correct, VPN users can't access the network behind the XG. That is happening when connecting with IPSec, with PPTP there are not problems at all, but we want to be able to connect with IPSec.

    After reading your comment I have failed to see the last line Slight smile When I have changed the subnet everything started working, but it's not very clear to me why. With PPTP with the same subnet addresses it is functional, but with IPSec, not. Anyway thank you for the answer it really helped me a lot.

    Regards,

    Petar

Children
No Data