Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 3 answers
  • Subscribers 26 subscribers
  • Views 18609 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route to host over IPSec Tunnel not working

SeanPetty

We have a new IPSec tunnel established between our XG and a remote Cisco site.  It looks like this:

 

XG                                    Remote Site

172.20.0.0/16                    10.1.1.150/32

 

The tunnel is up, both inbound and outbound rules were set up:

VPN-LAN (172.20.0.0/16) Any / Any

LAN-VPN (10.1.1.150/21) Any / Any

 

The remote site (10.1.1.150) can ping hosts on our network, but we can't ping the remote (10.1.1.150) end.  They have verified that ICMP is allowed on their server.

ifconfig for ipsec0 looks like this:

ipsec0    Link encap:Ethernet  HWaddr 5A:64:6F:66:82:85 

          inet addr:169.254.234.5  Bcast:0.0.0.0  Mask:255.255.255.255

          inet6 addr: fe80::5864:6fff:fe66:8285/64 Scope:Link

          UP BROADCAST RUNNING NOARP MULTICAST  MTU:16260  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

If I check the route table for 10.1.1.150 nothing exists.  No entries.  If I do a route lookup from the GUI it's trying to route 10.1.1.150 out through the WAN interface, but I see no way to add a route for a tunnel since it's only hardware and virtual interfaces available in those menus.

 

Does anyone have any suggestions?



This thread was automatically locked due to age.
  • 0

    Sean,

    use tcpdump to understand what IP is used when you ping the remote host.

    Make sure proper networks are declared inside the local and remote network inside the IPSec tunnel and finally have a look at asymmetric routing issues:

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/74750/how-can-i-allow-asymmetrical-routes

    Regards

  • 0

    Hello,

    Greetings.

    Login to the CLI of the device and go to option number 4 and check the routing table with the below command:

    console> system diagnostics utilities netconf route list

    Kindly login to the WebUI and go to Monitor & Analyze -> Diagnostics -> Packet capture. Click on Configure and Enter BPF String as host 192.168.1.1 (Here, 192.168.1.1 is remote end network PC or interface IP). Start the packet capture and run the ping from any of Local PC to 192.168.1.1 and capture the packet on UTM. Please paste the snap shot here in reply.

    If you do not see the route of the remote network through the IPSec. Kindly try adding the manual route in UTM device with the help of below command:

    system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname TEST   (Here, 192.168.1.0/24 is remote end network and TEST is the tunnel name).

    Then try pinging the remote network from local LAN PC and share the output of packet capture.

     

    -Mayur Makvana

     

  • 0 in reply to lferrara

    Luk, 

    Thank you for the suggestion.  The issue I'm experiencing seems to only be pinging FROM THE XG, no the host on my network.

     

    For example, I've learned/discovered that I CAN actually ping from one host on my network to the other, say 172.20.15.15 to 10.1.1.150.   No issues host to host.  My trouble was due to the fact that I was trying to test connectivity FROM the XG, using the UI ping.  Despite the fact that the tunnel is up, pings from the UI and from the XG CLI are unsuccessful.

     

    Any idea why?  

  • 0 in reply to SeanPetty

    Hi Sean,

    You need to apply the SYS NAT policy using below command, Kindly login to the CLI and go to option number 4 and execute the below command:

     

    set advanced-firewall sys-traffic-nat add destination 192.168.1.0 netmask 255.255.255.0 snatip 172.16.16.1   (here, 192.168.1.0 is remote end network and 172.16.16.1 is the interface IP which is local network added to the IPSec tunnel).

     

    Note: You need to re-establish the tunnel after executing the above command.

     

    -Mayur Makvana