Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 16431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG IPSEC site to site with NAT and different subnet range

Emanuele Monari

Hi @all,

I have a little trouble with a IPSEC tunnel from an XG105 and a remote Forcepoint infrastructure.

There is no connection issue, the tunnel goes up and traffic flows through tunnel, but I'm not able to talk to remote machine that I need to connect from all my hosts, only the first 16 ip of my lan can reach this machine.

Numbers here are of fantasy, but needed to explain configuration. I don't specify phase 1 and 2 parameters because, as I said above, tunnel goes up and traffic flows.

 

 

Remote

Local

Equipment

Forcepoint

XG105 

End of tunnel (peer)

95.39.211.228

72.84.54.58

Encrypted domain (local/remote network/host)

10.8.32.0/27

10.212.12.0/28

LAN

  

192.168.1.0/24

Target host

10.8.32.11

  
 
 

The main difformity is that the "Encrypted domain" network has a /28 subnet and LAN is a /24. and only machines with ips from 192.168.1.1 to .16 I don't have control over remote configuration

Here the configuration of IPSEC connection on XG105

Connection type: Site to Site

Policy: Custom Policy (this is correct, tunnel is up)

Action on VPN Restart: Initiate

Authentication Type: Preshared Key

Preshared Key: ******

Endpoints

Local: 72.84.54.58

Remote: 95.39.211.228

IPV4

Local Subnet: 10.212.12.0/28

NATed LAN: Same as Local LAN address

Local ID: Select Local ID (none)

Allow Nat Traversal (disabled)

Remote LAN Network: 10.8.32.0/27

Remote ID: Select Remote ID (none)

User Authentication Mode: Disable

Protocol: All

Local Port: Disabled

Remote Port: Disabled

Disconnect when tunnel is idle: Disabled

Idle session time interval: empty.

 

Firewall rule:

Action: accept

Source zones: LAN, VPN

Source Networks and Devices: ANY

During Scheduled Time: All the time

Destination Zones: ANY

Destination Networks: 10.8.32.0/27

Services: ANY

Identity: Match known user: disabled

Malware scanning: disabled

Advanced: all none/disabled/empty

 

I've tried to change all parameters wich can have a sense (local network range/ nat configuration on IPSEC config and Source Nats of any kind in Firewall rule) and possible results are 2: tunnel stops rising or issue persist (e.g. from 192.168.1.8 works, from 192.168.1.34 no).

 

The issue seems resides in mismatch between local network mask and lan mask (/28 vs /24), so only ip within 192.168.1.0/28 are able to communicate with remote host (10.8.32.11):
I can't achieve no SNAT result, if all my LAN machine presents on local "Encrypted Domain" with an ip under 16, things should start to work...

I don't know in deep XG CLI interface, so I tried to  make things work only from Web Interface, maybe in CLI way something is feasible.

Thank you so much,

Emanuele

 



This thread was automatically locked due to age.

  • Emanuele,

    I do not understand why in the vpn tunnel you declare 10.212.12.0/28 and not your internal network (192.168.1.0/24).

    You should not even able to reach anything because the local network is different from the one you declare.

  • in reply to lferrara

    Hi, Luk,

    the reason it's very simple: I don't have access to the configuration on the other side and the customer has strict security policy and he want to see us with that network, so I'm trying to configure the tunnel with the same configuration that the previous UTM had: with the previous (Netasq, with the same 192.168.1.0/24 internal lan) I was able to get things working simply applying a SNAT, setting a source IP as one in the /28 range.

    In real, I'm surprised too that it works with no NAT... But it's replicable...

    Because of that, there is something wrong on how the Web Application translate in rules this configuration, I am searching to get things working (or not working) as we expect....

    Or, maybe, I didn't understand at all how the local network configuration zone in IPSEC works: It should work if I apply the Nat here    or If I add a SNAT in the firewall rule...

    Emanuele

  • in reply to Emanuele Monari

    Emanuale,

    that windows is used to change the source network to something else in order to establish a vpn with another end where the same internal network is used.

    https://community.sophos.com/kb/en-us/123356

    Natting is automatically done by XG using the LAN IP. You can override it using the natted lan or system ipsec command from shell.

    Regards

  • in reply to lferrara

    Ok, but If I override with natted lan with different network size, it nats only the ip of the smallest size of the two nets.

    I asked to the other part, but they cannot give me a /24 network. We are trying also on this side to find a workaround.

    Now, the next step: if I want to do SNAT configured by hand (without this automatism of NATting LAN), it's possible (also via CLI) to override this SNAT with the one specified in firewall rule?
    I repeat that NO SNAT configuration in the specific firewall rule works, it seems that this automatic stuff "wins" against this one. I expect the firewall rule wins against this one, in this way I could presentate all my local IP with one on smallest subnet.

    Any idea?

     

    E. 

  • in reply to Emanuele Monari

    I read now about using the cli  to override nat.

    Some pointer in documentation regarding that?

    Excuse me and thank you,

    E.

  • PS: You can use SNAT with a custom host in V18.0. Simply use SNAT to a custom Host and add the IPsec route via CLI:
    console> system ipsec_route add host "DESTINATION behind IPsec Tunnel" tunnelname    (use tab for suggestion).