Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 301 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Smarthost via IPsec site-to-site Tunnel not working

EdmundSackbauer

I can't find out why smarthost is not working on my Firewall v18.5MR3. The smarthost is located behind an IPsec site2site tunnel.

Under "Device Access", SMTP relay is enabled for VPN.

There is a firewall rule allowing port 25 any-to-any (auto added Firewall rule accross all Zones)

All other communication is working across this tunnel.

When sending emails to that smarthost, I get timeouts. However I can telnet on port 25 to the smarthost via the tunnel from other hosts in my network.

Any ideas what to look for?



This thread was automatically locked due to age.
Parents
  • +1

    Hi  May be comparing TCPDUMP, Conntrack ( connection details) during manual telnet time and during sending email time ( when connect gets timeout) may give some hint in case traffic is not following the same pattern in both the conditions. 

    For site-to-site VPN with PBVN to forward system-generated traffic over VPN, manual CLI IPSec route is needed along with configuring system-generated NAT.

    If the site-to-site tunnel is RBVPN then the SD-WAN rule is required along with enabling the SD-WAN CLI command for system-generated traffic.

    console> sh routing sd-wan-policy-route system-generate-traffic
    SD-WAN policy route is turned on for system-generated traffic.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Reply
  • +1

    Hi  May be comparing TCPDUMP, Conntrack ( connection details) during manual telnet time and during sending email time ( when connect gets timeout) may give some hint in case traffic is not following the same pattern in both the conditions. 

    For site-to-site VPN with PBVN to forward system-generated traffic over VPN, manual CLI IPSec route is needed along with configuring system-generated NAT.

    If the site-to-site tunnel is RBVPN then the SD-WAN rule is required along with enabling the SD-WAN CLI command for system-generated traffic.

    console> sh routing sd-wan-policy-route system-generate-traffic
    SD-WAN policy route is turned on for system-generated traffic.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?