Trying to create an IPsec VPN between two XG Firewalls. Am I missing something?

Question

I've been trying, unsuccessfully, to create a IPsec VPN between two Sophos XG firewalls. The IPsec VPN is apparently established but there is no traffic flow between the networks. Ping tests to the LAN IP of the remote XG firewall, and remote other devices, fails. Traceroutes fail at the first hop.

One XG is a virtual machine, the other is a software based install. Both firewalls are running SFOS 16.01.0, but I couldn't establish the connection in SFOS 15.01.0 MR-3 either. Both firewalls are directly connected to the internet.

Branch Office - Subnet: 192.168.192.0/24 - XG: 192.168.192.251
Head Office - Subnet: 192.168.32.0/24 - XG: 192.168.31.201

Head Office IPsec Config

Name: Lab_To_Home_IPsec
Connection Type: Site-to-Site
Policy: DefaultHeadOffice
Action of VPN Restart: Respond Only
Authentication Type Preshared Key

Local Endpoint Details: Port2 (Head Office Public IP)
Remote Endpoint Details: Branch Office Public IP

IP Family: IPv4
Local Subnet: 192.168.31.0/24 (not NATed)
Local ID: IP Address - Head Office Public IP
Remote LAN Network: 192.168.192.0/24
Remote ID: IP Address - Branch Office Public IP

User Authentication Mode: Disabled
Protocol: All
Disconnect when tunnel is idle: Not enabled

Branch Office IPsec Config

Name: Home_to_Lab_IPsec
Connection Type: Site-to-Site
Policy: DefaultBranchOffice
Action of VPN Restart: Initiate
Authentication Type Preshared Key

Local Endpoint Details: PortB (Branch Office Public IP)
Remote Endpoint Details: Head Office Public IP

IP Family: IPv4
Local Subnet: 192.168.192.0/24 (not NATed)
Local ID: IP Address - Branch Office Public IP
Remote LAN Network: 192.168.31.0/24
Remote ID: IP Address - Head Office Public IP

User Authentication Mode: Disabled
Protocol: All
Disconnect when tunnel is idle: Not enabled

Troubleshooting tried so far:

Mirroring the IPsec configuration from this tutorial: https://www.youtube.com/watch?v=F8jVQ-6b230
Adding the WAN IP of the Branch Office to the network definitions of the VPN config (Method 1 as per community.sophos.com/.../123334)
Adding an ipsec_route for the remote networks on both XG firewalls (Method 2 as per https://community.sophos.com/kb/en-us/123334)
Ensured there's firewall rules for VPN to LAN and LAN to VPN traffic on both XGs (as per https://community.sophos.com/kb/en-us/123320). There is no traffic recorded for the rules.

Below are some logs and console outputs that hopefully will help! Let me know if there's any further information I can provide.

I thank anyone in advance that might be able to assist.

Head Office IPsec Status

Head Office /log/ipsec.log

Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: responding to Main Mode
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: Main mode peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: I did not send a certificate because I do not have one.
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #8: Dead Peer Detection (RFC 3706): enabled
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #9: responding to Quick Mode {msgid:df67d6ae}
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 06 15:32:47 "Lab_To_Home_IPsec-1" #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 06 15:32:48 "Lab_To_Home_IPsec-1" #9: up-client output: success
Oct 06 15:32:48 "Lab_To_Home_IPsec-1" #9: Dead Peer Detection (RFC 3706): enabled
Oct 06 15:32:48 "Lab_To_Home_IPsec-1" #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 06 15:32:48 "Lab_To_Home_IPsec-1" #9: STATE_QUICK_R2: IPsec SA established {ESP=>0x1d197141 <0xfd24a003 xfrm=AES_128-HMAC_MD5 IPCOMP=>0x000095a4 <0x000054f7 NATD=none DPD=enabled}

Head Office ifconfig ipsec 0

ipsec0 Link encap:Ethernet HWaddr 62:25:62:D9:C5:FF
inet addr:169.254.234.5 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::6025:62ff:fed9:c5ff/64 Scope:Link
UP BROADCAST RUNNING NOARP MULTICAST MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Head Office ip route list

XX.XX.XX.XX/27 dev Port2 proto kernel scope link src XX.XX.XX.XX
192.168.31.0/24 dev Port1 proto kernel scope link src 192.168.31.201
192.168.192.0/24 dev ipsec0 scope link

Head Office system route_precedence show

Routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes

Head Office system ipsec_route show

tunnelname host/network netmask
Lab_To_Home_IPsec 192.168.192.0 255.255.255.0

Branch Office IPsec Status

Branch Office /log/ipsec.log

Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: initiating Main Mode
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: received Vendor ID payload [Dead Peer Detection]
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: received Vendor ID payload [RFC 3947] method set to=110
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: received Vendor ID payload [Cisco-Unity]
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: STATE_MAIN_I2: sent MI2, expecting MR2
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: I did not send a certificate because I do not have one.
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: Main mode peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #19: Dead Peer Detection (RFC 3706): enabled
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #20: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+failureDROP {using isakmp#19}
Oct 06 15:32:47 "Home_to_Lab_IPsec-1" #20: up-client output: success
Oct 06 15:32:48 "Home_to_Lab_IPsec-1" #20: Dead Peer Detection (RFC 3706): enabled
Oct 06 15:32:48 "Home_to_Lab_IPsec-1" #20: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 06 15:32:48 "Home_to_Lab_IPsec-1" #20: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfd24a003 <0x1d197141 xfrm=AES_128-HMAC_MD5 IPCOMP=>0x000054f7 <0x000095a4 NATD=none DPD=enabled}

Branch Office ifconfig ipsec 0

ipsec0 Link encap:Ethernet HWaddr 6A:44:9D:57:3B:BF
inet addr:169.254.234.5 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::6844:9dff:fe57:3bbf/64 Scope:Link
UP BROADCAST RUNNING NOARP MULTICAST MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Branch Office ip route list

10.255.0.0/24 dev GuestAP proto kernel scope link src 10.255.0.1
XX.XX.XX.XX/18 dev PortB proto kernel scope link src XX.XX.XX.XX
192.168.31.0/24 dev ipsec0 scope link
192.168.32.0/24 via 192.168.192.250 dev PortA proto static
192.168.92.0/24 dev PortC proto kernel scope link src 192.168.92.254
192.168.192.0/24 dev PortA proto kernel scope link src 192.168.192.251

Branch Office system route_precedence show

Routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes

Branch Office system ipsec_route show

tunnelname host/network netmask
Home_to_Lab_IPsec 192.168.31.0 255.255.255.0

This thread was automatically locked due to age.

lferrara · Accepted Answer

Rohan, 
 you can enable other XG Admin services under Administration > Device Access. However those services are for management purpose only and not to allow traffic between the 2 sites. 
 Create a red tunnel between the 2 sites or use the asymmetric routing workaroung and let us know if it works. 
 Thanks

Emile Belcourt · Answer

Hi Rohan, 
 Can you check to see if you can enable more features under Administration > Device Access, that is where you should be editing your device access restrictions from :) 
 Emile

SangDD DD · Answer

Missing a route as you told Traceroutes fail at the first hop 
 
 try to add command on CLI as follows and tracert again to make sure routing working fine 
 
 XG at Head Off: system ipsec_route add net 192.168.192.0/255.255.255.0 tunnelname Lab_To_Home_IPsec 
 
 XG at Branch Off: system ipsec_route add net 192.168.32.0/255.255.255.0 tunnelname Home_to_Lab_IPsec 
 
 Ref https://community.sophos.com/kb/en-us/123334