This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S IPSEC NAT

ALL,

I have followed the two post listed below to no avail.

https://community.sophos.com/kb/en-us/123356

https://community.sophos.com/products/xg-firewall/f/network-and-routing/80820/trying-to-create-an-ipsec-vpn-between-two-xg-firewalls-am-i-missing-something

Our development and non-prod environment are separated with different firewalls. In this environment we are only using RFC1918 addresses. Tunnels are created for authentication purposes.

All other firewalls communicate using the RFC1918 addresses with no problem. However traffic to the Sophos XG running V.15 connects on Phase1 and Phase2 but no traffic is passing.

Running the following command shows no traffic at all. "show vpn IPSec-logs"

Running packet captures I show 500 traffic and the tunnel is up. Just not passing any traffic. I am seeing encrypted packets on the remote side and traversing the tunnel but nothing on the Sophos is registered.

I see lots of interesting reads on this but so far I am unable to get this working with Sophos.

Any help is greatly appreciated.

This thread was automatically locked due to age.

Parents

0 lferrara over 8 years ago

Bobby,

can you share what you have configured on XG? I prefer the method 2:

console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

set advanced-firewall cr-traffic-nat add destination <Destination IP/Network> snatip <NATed IP>

Let us know!
Cancel
Vote Up 0 Vote Down

Cancel
0 BobbyDigital over 8 years ago in reply to lferrara

console> system ipsec_route show
tunnelname host/network netmask
VMware_CheckPoint_Firewall192.168.15.0 255.255.255.0

src 192.168.15.0/24 dst 192.168.2.0/24
dir in priority 2344
tmpl src 10.1.1.200 dst 1.1.1.2
proto comp reqid 16550 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16549 mode transport
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0

I also tried this configuration as well.... community.sophos.com/.../multiple-nat-on-single-ipsec-tunnel
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BobbyDigital over 8 years ago in reply to lferrara

console> system ipsec_route show
tunnelname host/network netmask
VMware_CheckPoint_Firewall192.168.15.0 255.255.255.0

src 192.168.15.0/24 dst 192.168.2.0/24
dir in priority 2344
tmpl src 10.1.1.200 dst 1.1.1.2
proto comp reqid 16550 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16549 mode transport
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0

I also tried this configuration as well.... community.sophos.com/.../multiple-nat-on-single-ipsec-tunnel
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lferrara over 8 years ago in reply to BobbyDigital

Bobby,

from the S2S image, you should edit local endpoint "your WAN IP" and remote "other S2S WAN IP" under Endpoint details, then remove the IPSec route added with method 2 using the console.

For the S2S have a look at this KB:

https://community.sophos.com/kb/en-us/123140

Let us know
Cancel
Vote Up 0 Vote Down

Cancel