Guest User!
You are not Sophos Staff.
Good afternoon,
I am on the latest release of Xg 16 and seem to be having an ongoing issue with IPSEC VPN tunnels where there are multiple networks on the remote end.
It seems that a route is only created for one of the networks and not the others. It seems to be random which remote network the route gets created for. As such the network without the route doesn't work via the VPN.
Is anyone else experiencing this issue?
Thank you.
Alex
Good afternoon,
I looked at the KB article but this won't apply as there are disparate networks on the remote end.
This is the basic setup:
I am now unable to connect to either remote network but the tunnel shows as up and connected in VPN status.
Clicking the second red circle times out and doesn't connect.
Logging into the console and running show vpn connection status gives the following output:
"eMDTec_VER2VMG_VER-1": 10.150.10.0/24===2.2.2.2---X.X.X.X...3.3.3.3===10.10.15.0/24; unrouted; eroute owner: #0
"eMDTec_VER2VMG_VER-1": srcip=unset; dstip=unset;
"eMDTec_VER2VMG_VER-1": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 120s; rekey_fuzz: 0%; keyingtries: 0
"eMDTec_VER2VMG_VER-1": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+failureDROP; prio: 24,24; interface: Port2; encap: esp;
"eMDTec_VER2VMG_VER-1": dpd: action:restart; delay:30; timeout:120;
"eMDTec_VER2VMG_VER-1": newest ISAKMP SA: #0; newest IPsec SA: #0;
"eMDTec_VER2VMG_VER-1": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
"eMDTec_VER2VMG_VER-1": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
"eMDTec_VER2VMG_VER-1": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
"eMDTec_VER2VMG_VER-1": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
"eMDTec_VER2VMG_VER-2": 10.150.10.0/24===2.2.2.2---X.X.X.X...3.3.3.3===192.168.10.0/24; unrouted; eroute owner: #0
"eMDTec_VER2VMG_VER-2": srcip=unset; dstip=unset;
"eMDTec_VER2VMG_VER-2": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 120s; rekey_fuzz: 0%; keyingtries: 0
"eMDTec_VER2VMG_VER-2": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+failureDROP; prio: 24,24; interface: Port2; encap: esp;
"eMDTec_VER2VMG_VER-2": dpd: action:restart; delay:30; timeout:120;
"eMDTec_VER2VMG_VER-2": newest ISAKMP SA: #0; newest IPsec SA: #0;
"eMDTec_VER2VMG_VER-2": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
"eMDTec_VER2VMG_VER-2": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
"eMDTec_VER2VMG_VER-2": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
"eMDTec_VER2VMG_VER-2": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
Of interest are the highlighted lines where the status shows unrouted.
If I look at another VPN tunnel on the Sophos XG that is up and running I am getting this:
"eMDTec_VER_2eMDTec_PST-2": 10.150.10.0/24===2.2.2.2---X.X.X.X...8.8.8.8===10.100.10.0/24; erouted; eroute owner: #2556
"eMDTec_VER_2eMDTec_PST-2": srcip=unset; dstip=unset;
"eMDTec_VER_2eMDTec_PST-2": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 120s; rekey_fuzz: 0%; keyingtries: 5
"eMDTec_VER_2eMDTec_PST-2": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+failureDROP; prio: 24,24; interface: Port2; encap: esp;
"eMDTec_VER_2eMDTec_PST-2": dpd: action:restart; delay:30; timeout:120;
"eMDTec_VER_2eMDTec_PST-2": newest ISAKMP SA: #2564; newest IPsec SA: #2556;
"eMDTec_VER_2eMDTec_PST-2": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
"eMDTec_VER_2eMDTec_PST-2": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
"eMDTec_VER_2eMDTec_PST-2": IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
"eMDTec_VER_2eMDTec_PST-2": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
"eMDTec_VER_2eMDTec_PST-2": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
"eMDTec_VER_2eMDTec_PST-2": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
This is showing that a route is created and working.
If I attempt to run a trace route to the remote network 192.168.10.253 from behind the XG firewall it sends it out the default gateway and into the Internet were it dies. Same happens with the 10.10.15.1 address.
But if I trace route a network that shows as erouted it goes out the VPN and works fine.
If I completely reboot the Sophos the tunnel comes up and both networks are accessible until the key expires and it attempts to rekey and only one or neither network becomes available or routed, but the status for the tunnel still shows as up.
Thank you,
Alex
