Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 1137 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall - route based site to site VPN behind router

Wimar Aswan

Hi, I'm trying to setup IPsec site to site VPN using tunnel interface or route based.

The sites in question have the following setup:

Both sites:

Connection type: Tunnel inferface

Policy: IKEv2

Authentication type: RSA key

Firmware: 18.5 MR1

Site A - XG210

Connected to a TP Link MR600, DMZ is configured to the firewall IP. Public IP for example is 456.456.456.456

WAN interface uses private IP e.g. 192.168.1.2

Gateway type: Initiate the connection

Local gateway: WAN port with private IP (192.168.1.2)

Remote gateway: Site B public IP (123.123.123.123)

Site B - Virtual XG

Direct internet

WAN interface uses public IP e.g. 123.456.789.123

Gateway type: Respond only

Local gateway: WAN port with public IP (123.123.123.123)

Remote gateway: Site A public IP (456.456.456.456)

I have tried configuring the remote ID type to IP address and put Site A private IP as remote ID.

 

Log viewer shows peer did not respond to initial message. Please advise how the VPN connections need to be configured. Thanks.



This thread was automatically locked due to age.
  • +1

    Hi Wimar Aswan,

    You have to make sure both the Sophos Firewall is accessible either with Static Public IP or DDNS to make tunnel up and working. In your case you have upstream router TP link and Sophos XG has private IP your TP link need to forward port 500 UDP and port 4500 UDP for the same private IP configured on Sophos XG.

    Check the logs on : console >tcpdump 'host <Public IP> and port 500 or 4500>

    console>drop-packet-capture 'host <Public IP> and port 500 or 4500>

    1. Sign in to web admin of Sophos Firewall.
    2. Click admin > Console and press Enter.
    3. Enter your password.
    4. Select 4. Device Console and press Enter.

      Note: To know the other console commands, go to the documentation page Device console.
       
    5. Run the commands below:
       
      • For IPSec: show vpn IPSec-logs 
        1. Select 5. Device Management and press Enter.
        2. Select 3. Advanced Shell and press  Enter.
        3. Run the command tail -f /log/strongswan.log
        4. SFVUNL_SO01_SFOS 17.5.0 GA# ipsec statusall
        5. SFVUNL_SO01_SFOS 17.5.0 GA# ip xfrm policy

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    If I perform a connection from site B firewall, I can see that the packet is received in the site A firewall. Site B firewall however does not seem to be receiving the packet from site A. I wonder if the TP Link device is blocking outbound UDP 500 as it also have an IPsec functionality.

    2022-02-02 17:44:54 15[NET] <793> received packet: from siteB-Public[500] to siteA-Private[500] (954 bytes)
    2022-02-02 17:44:54 15[ENC] <793> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2022-02-02 17:44:54 15[IKE] <793> siteB-Public is initiating an IKE_SA
    2022-02-02 17:44:54 15[IKE] <793> local host is behind NAT, sending keep alives
    2022-02-02 17:44:54 15[ENC] <793> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    2022-02-02 17:44:54 15[NET] <793> sending packet: from siteA-Private[500] to siteB-Public[500] (242 bytes)
    2022-02-02 17:44:58 32[NET] <793> received packet: from siteB-Public[500] to siteA-Private[500] (954 bytes)
    2022-02-02 17:44:58 32[ENC] <793> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2022-02-02 17:44:58 32[IKE] <793> received retransmit of request with ID 0, retransmitting response

    Regards,

    Wimar

  • 0 in reply to Wimar Aswan

    Hi Wimar Aswan ,

    Please open CLI 

    Check the logs on : console >tcpdump 'host <Public IP> and port 500 or 4500

    console>drop-packet-capture 'host <Public IP> and port 500 or 4500

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Bharat J

    Hi Bharat,

    Thanks for the log commands, it narrowed down the issue. VPN pass through wasn't enabled on the TP LINK.

    Archer MR600 VPN Passthrough - Home Network Community (tp-link.com)

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?