This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic not passed through IPSEC S2S VPN

I am working with a customer where we have IPSEC VPN created between Sophos and Fortinet. The network allowed from the Fortinet side and configured as "Remote Subnet" in the IPSEC VPN is 10.10.0.0/16. We also have some URL's configured and the DNS Host entries for them configured.

The DNS entries work fine, however, one of the link points to an IP of 10.10.90.111 and that doesn't open. On capturing packets I see that the Sophos Firewall shows the traffic hitting the LAN port but the same is not Forwarded over to the ipsec tunnel. Any idea why would this happen and the fix for the same?

This thread was automatically locked due to age.

Parents

0 Erick Jan over 2 years ago

Hi Mayuresh,

Thank you for reaching out to Sophos Community.

For Traffic not passing through IPsec s2s VPN. You may refer to the following KB for troubleshooting.

Problem# 4 Traffic not passing through the IPsec VPN Tunnel

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/123740/sophos-firewall-troubleshooting-site-to-site-ipsec-vpn-issues#mcetoc_1elqugv8e6

You check the following youtube videos for configuring Sophos VPN IPsec to Fortigate www.youtube.com/watch

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayuresh Bhagwat over 2 years ago in reply to Erick Jan

The article doesn't help considering some traffic passes through the tunnel not all applicable traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 2 years ago in reply to Mayuresh Bhagwat

Hi Offline Mayuresh Bhagwat

Please check and share traffic flow under MONITOR & ANALYZE || Diagnostics || Packet Capture and drop packet to investigate the issue.

Enter BPF string as "host <destination IP>"

For troubleshooting keep VPN to LAN firewall rule on TOP.

Regards

"Sophos Partner: Infrassist Technologies Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayuresh Bhagwat over 2 years ago in reply to Bharat J

I think everyone is missing one point here: The allowed remote network is 10.10.0.0/16 and the traffic for 10.10.10.x is passing through the tunnel however 10.10.90.x is not. This is routing issue wherein the traffic for 10.10.90.x is not being routed through the IPSEC tunnel.
The pcap clearly shows "incoming" traffic to the firewall but no corresponding "forwarded" entry. Also this is site to site IPSEC VPN.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Mayuresh Bhagwat over 2 years ago in reply to Bharat J

I think everyone is missing one point here: The allowed remote network is 10.10.0.0/16 and the traffic for 10.10.10.x is passing through the tunnel however 10.10.90.x is not. This is routing issue wherein the traffic for 10.10.90.x is not being routed through the IPSEC tunnel.
The pcap clearly shows "incoming" traffic to the firewall but no corresponding "forwarded" entry. Also this is site to site IPSEC VPN.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jprusch over 2 years ago in reply to Mayuresh Bhagwat

Are these different sites for 10.10.10.x and 10.10.90.x ? What is their netmask?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayuresh Bhagwat over 2 years ago in reply to jprusch

Both belong to the same network of 10.10.0.0/16
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to Mayuresh Bhagwat

I understand your netmask is covering both nets. :-)

But you did not answer my question.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayuresh Bhagwat over 2 years ago in reply to jprusch

Sorry I misunderstood the question. No these both IPs are at same site. 10.10.10.x is an application portal and one of the links points to 10.10.90.x which lies in the same network at the same site.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to Mayuresh Bhagwat

and all these have a /16 mask?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayuresh Bhagwat over 2 years ago in reply to jprusch

Yes they do
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 2 years ago in reply to Mayuresh Bhagwat

Can you show us a screenshot of the edit window of your IPsec tunnel definition?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel