This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BO not able to reach Cloud subnet over IPSec connecting to Head Office.

Ben Ng over 3 years ago

Hi,

I had configured a ipsec remote access from the cloud using sophos connect to my HQ XGS.

there is a remote Branch that is connected to HQ using IPsec connection.

BO-----------------------------------HQ--------------------------------Cloud

192.168.32.0/24 192.168.0.0/24 192.168.60.0/24

i have some issue with the routing and it is not able to reach from the BO to the Cloud.

What i had done:

IPSec VPN added the Cloud subnet and HQ subnet into local subnet.

Added the Cloud subnet into the remote subnet in IPSec VPN configuration

Added the system ipsec_route of the Cloud and also BO into HQ XGS.

Added the firewall rules to allow Cloud VPN and HQ local subnet inbound and outbound in BO

Added Firewall rules allow BO subnet inbound and outbound in HQ XGS.

currently the network is not able to reach the Cloud subnet (192.168.60.0/24) from the BO site.

Appreciate the advice on how to troubleshoot the routing.

Thanks

This thread was automatically locked due to age.

Parents

0 Vivek Jagad over 3 years ago

Hello Ben Ng,

Have you created a rule VPN to VPN ?
May be the following article can if you are using three sites to connect: https://support.sophos.com/support/s/article/KB-000035821?language=en_US
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi Vivek,

Thanks for the respond, as one of the site is using the sohpos connect IPsec remote access, i am not able to configure as per the article.

below is my configuration for the cloud server IPsec remote access.

i did include all the subnet that will be required to access to the cloud server. but still not able to ping or reach the server.

Is there any way to use the IPsec remote access configuration to route?

Thanks and Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to Ben Ng

Hello ben,

do you have a route FROM the cloud network 192.168.60.0/24 to the BO network with 192.168.32.0/24 in place?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Ben Ng

So BO is connected to HO via Sophos remote IPsec ?
And then Ho is connected to cloud via S2S IPsec right ?
Can you clarify the setup ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to jprusch

Hi Jprusch,

The ip address is gotten from the XGS. so the routing that i did is in the XGS console.

HQ XGS

BO

The route in BO is to ensure that the subnet 192.168.60.0 is from the tunnel that is coming from the HQ.

Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Ben Ng

Hello Ben Ng,
Can you check if the traffic is going into the IPsec tunnel or not with the following command:
console> system diagnostics utilities route lookup <cloud subnet ip>
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi Vivek

Below is the result

BO is connected to HO via IPsec S2S.
Ho is connected to cloud via remote IPsec.

Why is this so, its because that the cloud does not have a firewall, so i installed sophos connect to establish a connection between the HQ to the cloud server.

Regards,

Ben
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Ben Ng

Hello Ben Ng,

First of all SFOS 18.0.3 MR-3 is declared EOL
KBA: https://support.sophos.com/support/s/article/KB-000035279?language=en_US

So, would request you to update the firmware to at least SF-OS 18.06 MR-6.

Now, we know the traffic from BO does travel to HO via IPsec0 tunnel.

Now check on the HO, whether the traffic from HO received from BO does it travel to remote IPsec tunnel ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi Vivek,

Thanks for the firmware information, will get the approval for the upgrade of the firmware from the management.

I had also did some testing and found that the traffic is able to reach the firewall via the IPSec

above is the log that i captured from the log viewer.

but still the cloud server is not able to be ping from the remote site.

can also advice if there is any other command that i can use to trace the routing?

Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi Vivek,

Thanks for the firmware information, will get the approval for the upgrade of the firmware from the management.

I had also did some testing and found that the traffic is able to reach the firewall via the IPSec

above is the log that i captured from the log viewer.

but still the cloud server is not able to be ping from the remote site.

can also advice if there is any other command that i can use to trace the routing?

Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Vivek Jagad over 3 years ago in reply to Ben Ng

From the client machine on the command prompt you can use the cmd: route print

and from the command line interface of the FW appliance you can use: console> traceroute <DEST IP>
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to Vivek Jagad

I still think he is lacking the route back from the cloud net to the BO over the HQ-route or the HQ-Route should be the default gateway for 192.168.60.0/254
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to jprusch

There is a possibility, jprusch with the commands provided he should be able to determine that !!
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi All,

The problem is that the IPSec remote access is not able to create a route back on the XGS, and I'm still looking for a way to add in the route for 192.168.60.0/24.

I do have a SSL VPN access that I created and it works fine when the user connect using that.

As the IPSec remote access is also getting the IP address from XGS, at first I though that the configuration will be the same.

But to my surprise it seems not.

If there is a way to configure the route for the Cloud subnet (192.168.60.0/24), do enlighten me.

BTW, i tried to add in the static route but due to the IPSec remote configuration, there is no gateway. And it also does not work.

Sorry for the inconvenience.

Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to Vivek Jagad

Hello @Vivek Jagad,

yes, hopefully and he should definitely have the 18.5.x firmware on BO-Site, too.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Ben Ng

Hey Ben Ng,

Can you confirm if under the IPsec remote access if the default gateway is enabled ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi Vivek,

I didn't enable the default gateway,

If I enable this will I loss the WAN IP connection from the cloud?

Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Ben Ng

Well Ben Ng, enabling that option will send all traffic, including external internet requests, to the interface you specify for IPsec remote access. With that client users will send their internet requests through Sophos Firewall, and you will need to configure a firewall rule with the source zone set to VPN and the destination zone set to WAN.

For HO it is already accessible right? So clients will considered on the local firewall, that should work if you have allowed the cloud subnet to communicate.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 3 years ago in reply to Ben Ng

Yes, that's the dilemma! You probably do not want this as the default gateway there.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Ng over 3 years ago in reply to Vivek Jagad

Hi Vivek,

Thanks for the recommendation, will check with my manager if he is okay with the solution tomorrow.

Regards

Ben
Cancel
Vote Up 0 Vote Down

Cancel