Hi @all,
I have a little trouble with a IPSEC tunnel from an XG105 and a remote Forcepoint infrastructure.
There is no connection issue, the tunnel goes up and traffic flows through tunnel, but I'm not able to talk to remote machine that I need to connect from all my hosts, only the first 16 ip of my lan can reach this machine.
Numbers here are of fantasy, but needed to explain configuration. I don't specify phase 1 and 2 parameters because, as I said above, tunnel goes up and traffic flows.
|
|
Remote |
Local |
|
Equipment |
Forcepoint |
XG105 |
|
End of tunnel (peer) |
95.39.211.228 |
72.84.54.58 |
|
Encrypted domain (local/remote network/host) |
10.8.32.0/27 |
10.212.12.0/28 |
|
LAN |
192.168.1.0/24 |
|
|
Target host |
10.8.32.11 |
|
The main difformity is that the "Encrypted domain" network has a /28 subnet and LAN is a /24. and only machines with ips from 192.168.1.1 to .16 I don't have control over remote configuration
Here the configuration of IPSEC connection on XG105
Connection type: Site to Site
Policy: Custom Policy (this is correct, tunnel is up)
Action on VPN Restart: Initiate
Authentication Type: Preshared Key
Preshared Key: ******
Endpoints
Local: 72.84.54.58
Remote: 95.39.211.228
IPV4
Local Subnet: 10.212.12.0/28
NATed LAN: Same as Local LAN address
Local ID: Select Local ID (none)
Allow Nat Traversal (disabled)
Remote LAN Network: 10.8.32.0/27
Remote ID: Select Remote ID (none)
User Authentication Mode: Disable
Protocol: All
Local Port: Disabled
Remote Port: Disabled
Disconnect when tunnel is idle: Disabled
Idle session time interval: empty.
Firewall rule:
Action: accept
Source zones: LAN, VPN
Source Networks and Devices: ANY
During Scheduled Time: All the time
Destination Zones: ANY
Destination Networks: 10.8.32.0/27
Services: ANY
Identity: Match known user: disabled
Malware scanning: disabled
Advanced: all none/disabled/empty
I've tried to change all parameters wich can have a sense (local network range/ nat configuration on IPSEC config and Source Nats of any kind in Firewall rule) and possible results are 2: tunnel stops rising or issue persist (e.g. from 192.168.1.8 works, from 192.168.1.34 no).
The issue seems resides in mismatch between local network mask and lan mask (/28 vs /24), so only ip within 192.168.1.0/28 are able to communicate with remote host (10.8.32.11):
I can't achieve no SNAT result, if all my LAN machine presents on local "Encrypted Domain" with an ip under 16, things should start to work...
I don't know in deep XG CLI interface, so I tried to make things work only from Web Interface, maybe in CLI way something is feasible.
Thank you so much,
Emanuele
This thread was automatically locked due to age.
