Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 28 subscribers
  • Views 1221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Routing (tunnel interface) - XG to SG/UTM connection

Aaron Becker

I'm trying to migrate UTMs to XG. Currently HQ site has UTM.

BO has a new XG (in test currently) and I can get the IPSec to establish and it has the correct SA if I define the same subnets on each side (typical for the old UTM>UTM style IPsec tunnels).

When I define the Subnets on the XG, a grey note appears (see image) that defining routes or a xfrm interface IP is not required (nor can I do either of these anyways).

On the UTM, the route gets added without an issue. However, on the XG, I'm not getting a route for the remote site subnet and traceroute shows the packets going out the WAN interface (not the tunnel interface) and getting timeouts (of course).

I've watched several of the videos and read a few documents but it seems they all differ slightly in recommendations depending on the version the doc was created for. 



This thread was automatically locked due to age.
  • 0

    Hi Aaron Becker

    Please share the static routes you have configured under Configure --->Routing -->Static Routes.

    Please check the firewall rules from VPN-LAN and LAN-VPN are configured. Please go to System -->Administration --->Device Access to ensure Ping is enabled on VPN Zone.

    Please check  route precedence with command: console>system route_precedence show 

    check any drop with drop-packet capture example: console>drop-packet -capture 'host <destination IP> and proto ICMP

    Please check packet flow under MONITOR & ANALYZE-->Diagnostics-->Packet capture 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    There are no static routes configured (the system does not allow me to configure a static route per the above screenshot for the xfrm interface when subnets are defined).

    Ping is confirmed allowed under device access. I'm not sure why this is relevant when the route does not exist.

    Route precedence: console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    I can continue looking for dropped packets, but the issue is almost undoubtedly a routing issue. Can you help me establish why there is no route getting established?

  • 0

    UTM does not support IPsec Tunnel Interfaces. UTM only allows Policy Based Tunnels. 

    You could failover to RED site to site Tunnel.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thats weird considering UTM creates a VTI for ipsec routing as clearly shown in the routing table...

  • 0 in reply to Aaron Becker

    UTM builds a ipsec0 interface. VTI would mean, there is a XFRM interface per tunnel, which is not the case in UTM. It uses a workaround to bind it to a physical interface, but it is not VTI/XFRM. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Alright, got it.

    So what type of tunnel is "compatible" with the UTM from the XG? A site-to-site (vs the tunnel interface)?

    I believe when I tried with the site to site I couldn't get the routing figured out, how would the routes get added without the interface?

  • 0 in reply to Aaron Becker

    If you have Site to Site (Policy based) you need to add the remote and local subnet. This will do the routing for you. 

    Or you do a RED site to site tunnel. There are some tutorials how to do both. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    S2S configured on the XG, the UTM is using the only type of Ipsec is has available (with defined subnets on both sides). Routes are not present on the XG.

    What's next?

  • 0 in reply to Aaron Becker

    Can you show us your config on both sides? And keep in mind, how routing on SFOS works: community.sophos.com/.../routing-in-xgv18-with-sd-wan-pbr

    __________________________________________________________________________________________________________________

  • 0

    The issue appears to be a routing issue along with a bad NAT rule that was auto-loaded on configuration. We are still in the process of debugging and we will edit this correct answer (not the incorrect answer provided by LuCar Toni) at a later date. Thank you.

    EDIT: Issue was with ipsec policy during phase 2 on the SFOS. Corrected and is working now.

Unfiltered HTML