BO not able to reach Cloud subnet over IPSec connecting to Head Office.

Hello Ben Ng,

Have you created a rule VPN to VPN ?
May be the following article can if you are using three sites to connect: https://support.sophos.com/support/s/article/KB-000035821?language=en_US

Hi Vivek,

Thanks for the respond, as one of the site is using the sohpos connect IPsec remote access, i am not able to configure as per the article.

below is my configuration for the cloud server IPsec remote access.

i did include all the subnet that will be required to access to the cloud server. but still not able to ping or reach the server.

Is there any way to use the IPsec remote access configuration to route?

Thanks and Regards

Ben

Hello ben,

do you have a route FROM the cloud network 192.168.60.0/24 to the BO network with 192.168.32.0/24 in place?

So BO is connected to HO via Sophos remote IPsec ? 
And then Ho is connected to cloud via S2S IPsec right ?
Can you clarify the setup ?

Hi Jprusch,

The ip address is gotten from the XGS. so the routing that i did is in the XGS console.

HQ XGS

BO

The route in BO is to ensure that the subnet 192.168.60.0 is from the tunnel that is coming from the HQ.

Regards

Ben 

Hello Ben Ng,
Can you check if the traffic is going into the IPsec tunnel or not with the following command: 
console> system diagnostics utilities route lookup <cloud subnet ip> 

Hi Vivek

Below is the result 

BO is connected to HO via IPsec S2S.
Ho is connected to cloud via remote IPsec.

Why is this so, its because that the cloud does not have a firewall, so i installed sophos connect to establish a connection between the HQ to the cloud server.

Regards,

Ben

Hello Ben Ng,

First of all SFOS 18.0.3 MR-3 is declared EOL
KBA: https://support.sophos.com/support/s/article/KB-000035279?language=en_US


So, would request you to update the firmware to at least SF-OS 18.06 MR-6.

Now, we know the traffic from BO does travel to HO via IPsec0 tunnel. 

Now check on the HO, whether the traffic from HO received from BO does it travel to remote IPsec tunnel ?

Hi Vivek,

Thanks for the firmware information, will get the approval for the upgrade of the firmware from the management.

I had also did some testing and found that the traffic is able to reach the firewall via the IPSec

above is the log that i captured from the log viewer.

but still the cloud server is not able to be ping from the remote site.

can also advice if there is any other command that i can use to trace the routing?

Regards

Ben 

Hi Vivek,

Thanks for the firmware information, will get the approval for the upgrade of the firmware from the management.

I had also did some testing and found that the traffic is able to reach the firewall via the IPSec

above is the log that i captured from the log viewer.

but still the cloud server is not able to be ping from the remote site.

can also advice if there is any other command that i can use to trace the routing?

Regards

Ben 

From the client machine on the command prompt you can use the cmd: route print

and from the command line interface of the FW appliance you can use: console> traceroute <DEST IP> 

I still think he is lacking the route back from the cloud net to the BO over the HQ-route or the HQ-Route should be the default gateway for 192.168.60.0/254

There is a possibility, jprusch with the commands provided he should be able to determine that !!

Hi All,

The problem is that the IPSec remote access is not able to create a route back on the XGS, and I'm still looking for a way to add in the route for 192.168.60.0/24.

I do have a SSL VPN access that I created and it works fine when the user connect using that.

As the IPSec remote access is also getting the IP address from XGS, at first I though that the configuration will be the same.

But to my surprise it seems not.

If there is a way to configure the route for the Cloud subnet (192.168.60.0/24), do enlighten me.

BTW, i tried to add in the static route but due to the IPSec remote configuration, there is no gateway. And it also does not work.

Sorry for the inconvenience.

Regards

Ben 

Hello @Vivek Jagad,

yes, hopefully and he should definitely have the 18.5.x firmware on BO-Site, too.

Hey Ben Ng,

Can you confirm if under the IPsec remote access if the default gateway is enabled ?

Hi Vivek,

I didn't enable the default gateway,

If I enable this will I loss the WAN IP connection from the cloud? 

Regards

Ben 

Well Ben Ng, enabling that option will send all traffic, including external internet requests, to the interface you specify for IPsec remote access. With that client users will send their internet requests through Sophos Firewall, and you will need to configure a firewall rule with the source zone set to VPN and the destination zone set to WAN. 

For HO it is already accessible right? So clients will considered on the local firewall, that should work if you have allowed the cloud subnet to communicate. 

Yes, that's the dilemma! You probably do not want this as the default gateway there.

Hi Vivek,

Thanks for the recommendation, will check with my manager if he is okay with the solution tomorrow.

Regards

Ben