Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 16444 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG IPSEC site to site with NAT and different subnet range

Emanuele Monari

Hi @all,

I have a little trouble with a IPSEC tunnel from an XG105 and a remote Forcepoint infrastructure.

There is no connection issue, the tunnel goes up and traffic flows through tunnel, but I'm not able to talk to remote machine that I need to connect from all my hosts, only the first 16 ip of my lan can reach this machine.

Numbers here are of fantasy, but needed to explain configuration. I don't specify phase 1 and 2 parameters because, as I said above, tunnel goes up and traffic flows.

 

 

Remote

Local

Equipment

Forcepoint

XG105 

End of tunnel (peer)

95.39.211.228

72.84.54.58

Encrypted domain (local/remote network/host)

10.8.32.0/27

10.212.12.0/28

LAN

  

192.168.1.0/24

Target host

10.8.32.11

  
 
 

The main difformity is that the "Encrypted domain" network has a /28 subnet and LAN is a /24. and only machines with ips from 192.168.1.1 to .16 I don't have control over remote configuration

Here the configuration of IPSEC connection on XG105

Connection type: Site to Site

Policy: Custom Policy (this is correct, tunnel is up)

Action on VPN Restart: Initiate

Authentication Type: Preshared Key

Preshared Key: ******

Endpoints

Local: 72.84.54.58

Remote: 95.39.211.228

IPV4

Local Subnet: 10.212.12.0/28

NATed LAN: Same as Local LAN address

Local ID: Select Local ID (none)

Allow Nat Traversal (disabled)

Remote LAN Network: 10.8.32.0/27

Remote ID: Select Remote ID (none)

User Authentication Mode: Disable

Protocol: All

Local Port: Disabled

Remote Port: Disabled

Disconnect when tunnel is idle: Disabled

Idle session time interval: empty.

 

Firewall rule:

Action: accept

Source zones: LAN, VPN

Source Networks and Devices: ANY

During Scheduled Time: All the time

Destination Zones: ANY

Destination Networks: 10.8.32.0/27

Services: ANY

Identity: Match known user: disabled

Malware scanning: disabled

Advanced: all none/disabled/empty

 

I've tried to change all parameters wich can have a sense (local network range/ nat configuration on IPSEC config and Source Nats of any kind in Firewall rule) and possible results are 2: tunnel stops rising or issue persist (e.g. from 192.168.1.8 works, from 192.168.1.34 no).

 

The issue seems resides in mismatch between local network mask and lan mask (/28 vs /24), so only ip within 192.168.1.0/28 are able to communicate with remote host (10.8.32.11):
I can't achieve no SNAT result, if all my LAN machine presents on local "Encrypted Domain" with an ip under 16, things should start to work...

I don't know in deep XG CLI interface, so I tried to  make things work only from Web Interface, maybe in CLI way something is feasible.

Thank you so much,

Emanuele

 



This thread was automatically locked due to age.
Parents

  • PS: You can use SNAT with a custom host in V18.0. Simply use SNAT to a custom Host and add the IPsec route via CLI:
    console> system ipsec_route add host "DESTINATION behind IPsec Tunnel" tunnelname    (use tab for suggestion). 

    __________________________________________________________________________________________________________________

Reply

  • PS: You can use SNAT with a custom host in V18.0. Simply use SNAT to a custom Host and add the IPsec route via CLI:
    console> system ipsec_route add host "DESTINATION behind IPsec Tunnel" tunnelname    (use tab for suggestion). 

    __________________________________________________________________________________________________________________

Children
No Data
Cookie Information Banner