Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 2108 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Hosts are not reachable in Subnet

matthias

Hello,

I have installed an Sophos XG where I want to create an IPSec connection to another Server which runs an Strongswan IPSec Server. I already could successfully create an connection to it and I can ping my Sophos internal IP and also the IP of the Strongswan Server. My issue is now, that the Clients of the local Subnet of the Sophos can't ping the IP of the Strongswan Server and vice versa. On the local Site of the Sophos I have 6 Subnets which have the the Range of 172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24, 172.16.5.0/24 and 172.16.6.0/24. THe Network 172.16.1.0 until 172.16.5.0 are routed via another Router. The Sophos is able to reach these networks via static routes. The Strongswan Server is an central VPN Server which routes the Traffic to the Remote Subnets. The Remote Subnets are from 172.16.6.0 - 172.16.12.0 and all Subnets has the Subnetmask of /24. When I add in the Sophos for example Local Network 172.16.0.0/24 and Remote Network 172.16.7.0/24 then I can reach the complete Subnet of 172.16.7.0/24 and also the Clients which are in the Network of 172.16.0.0/24. When I add for example 172.16.6.0/24 then I can only the IP of the Sophos and only the Subnet of 172.16.7.0/24. The CLients in the Subnet of 172.16.7.0 can only the local network address of the Sophos but not the Clients in the Network of 172.16.0.0/24.

This is my current firewall configuration.

console> show advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
UDP Timeout Stream : 60
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : on
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
TCP TIMESTAMPS : off
Strict ICMP Tracking : off
ICMP Error Message : allow
IPv6 Unknown Extension Header : deny


Bypass Stateful Firewall
------------------------
Source Genmask Destination Genmask
172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
172.16.0.0 255.255.255.0 172.16.2.0 255.255.255.0
172.16.0.0 255.255.255.0 172.16.3.0 255.255.255.0
172.16.0.0 255.255.255.0 172.16.4.0 255.255.255.0
172.16.0.0 255.255.255.0 172.16.5.0 255.255.255.0
172.16.0.0 255.255.255.0 172.16.7.0 255.255.255.0
172.16.7.0 255.255.255.0 172.16.0.0 255.255.255.0
172.16.9.0 255.255.255.0 172.16.0.0 255.255.255.0
172.16.12.0 255.255.255.0 172.16.0.0 255.255.255 0
172.16.9.0 255.255.255.0 172.16.1.0 255.255.255.0
172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0
172.16.1.0 255.255.255.0 172.16.7.0 255.255.255.0
172.16.7.0 255.255.255.0 172.16.1.0 255.255.255.0


NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP
172.16.7.0 255.255.255.0 172.16.0 .254

Thanks.



This thread was automatically locked due to age.