Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 28 subscribers
  • Views 1236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Routing (tunnel interface) - XG to SG/UTM connection

Aaron Becker

I'm trying to migrate UTMs to XG. Currently HQ site has UTM.

BO has a new XG (in test currently) and I can get the IPSec to establish and it has the correct SA if I define the same subnets on each side (typical for the old UTM>UTM style IPsec tunnels).

When I define the Subnets on the XG, a grey note appears (see image) that defining routes or a xfrm interface IP is not required (nor can I do either of these anyways).

On the UTM, the route gets added without an issue. However, on the XG, I'm not getting a route for the remote site subnet and traceroute shows the packets going out the WAN interface (not the tunnel interface) and getting timeouts (of course).

I've watched several of the videos and read a few documents but it seems they all differ slightly in recommendations depending on the version the doc was created for. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Aaron Becker

    Please share the static routes you have configured under Configure --->Routing -->Static Routes.

    Please check the firewall rules from VPN-LAN and LAN-VPN are configured. Please go to System -->Administration --->Device Access to ensure Ping is enabled on VPN Zone.

    Please check  route precedence with command: console>system route_precedence show 

    check any drop with drop-packet capture example: console>drop-packet -capture 'host <destination IP> and proto ICMP

    Please check packet flow under MONITOR & ANALYZE-->Diagnostics-->Packet capture 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    Hi Aaron Becker

    Please share the static routes you have configured under Configure --->Routing -->Static Routes.

    Please check the firewall rules from VPN-LAN and LAN-VPN are configured. Please go to System -->Administration --->Device Access to ensure Ping is enabled on VPN Zone.

    Please check  route precedence with command: console>system route_precedence show 

    check any drop with drop-packet capture example: console>drop-packet -capture 'host <destination IP> and proto ICMP

    Please check packet flow under MONITOR & ANALYZE-->Diagnostics-->Packet capture 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to Bharat J

    There are no static routes configured (the system does not allow me to configure a static route per the above screenshot for the xfrm interface when subnets are defined).

    Ping is confirmed allowed under device access. I'm not sure why this is relevant when the route does not exist.

    Route precedence: console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    I can continue looking for dropped packets, but the issue is almost undoubtedly a routing issue. Can you help me establish why there is no route getting established?

Unfiltered HTML