Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reverse Proxy WebServer behind IPSec Tunnel

Ben@Network

Hello,

I have a VPN tunnel to another site, there is a web server that should be reached via a reverse proxy on the XG. The XG has an additional IP address (192.168.0.140) on the LAN interface (the LAN interface has IP 192.168.0.2). The IPSec tunnel is terminated locally on IPs 192.168.0.140 and 192.168.0.2, and on the other side the tunnel is terminated on the web server IP 192.168.253.37.

When I call the access the reverse proxy, I always get only a status code 503 in the reverse proxy log.

I had tried to nat the traffic, which did not help either: https://support.sophos.com/support/s/article/KB-000035839?language=en_US

Does anyone have a tip for me?

Thanks,

Ben



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to Vishal_R

    Hi Vishal,

    the source IP is correct, 192.168.0.2 is in my local tunnel endpoint:

    XGS5500_CI02_SFOS 19.5.0 GA-Build197 HA-Primary# ip route get 192.168.253.37
    192.168.253.37 dev ipsec0 table 220 src 192.168.0.2 uid 0
    cache
    XGS5500_CI02_SFOS 19.5.0 GA-Build197 HA-Primary#

    If I check the traffic with "tcpdump -i ipsec0 host 192.168.253.37" I did not see any traffic in the tunnel.

    Regards,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Ben@Network

    Hi  Packet capture on GUI for host 192.168.253.37 will give information on IPSec out (As in CLI IPsec out will not be seen & only IPsec in will be there). so on XGS5500 if IPsec out is there for 192.168.253.37 then on another end of XG you may able to see CLI packets via tcpdump with IPSec in during WAF Access time.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    You are right, in the GUI capture I see the packets on the IPSec interface. The other site is managed by a different company. They will check the rules.
    Thanks,

    Ben 

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML