Radius over IPSec Site-to-Site

Hi, Mike, and welcome to the UTM Community!

I can't "see" your topology behind the UTM.  I assume that the UTM is at the edge of your VPC, or???  In any case, I can't imagine that your SNAT works - what had you intended to do with it?

Cheers - Bob

Hi, Mike, and welcome to the UTM Community!

I can't "see" your topology behind the UTM.  I assume that the UTM is at the edge of your VPC, or???  In any case, I can't imagine that your SNAT works - what had you intended to do with it?

Cheers - Bob

Hello,

Yes thats correct it is at the edge. All traffic is being pushed to the Sophos appliance. The SNAT doesn't seem to work no... this is what i found on the forums here to try and fix the problem. That didnt fix the issue so im seeking for additional help on the problem :). I was trying to make sure that RADIUS traffic actually made it to the radius server over the IPSec tunnel.

I'm fairly certain you just want to delete the SNAT rule, but show us a line from from the full Firewall log file corresponding to one in your opening post.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

Instead of totally hiding IPs, just obfuscate them enough to stay safe but in a way that lets us understand what we're seeing.  10.x.y.31 instead of 10.10.10.31.  192.168.x.31, 96.x.y.102, etc.

Cheers - Bob

Hello Bob,

Thanks for the quick reply. I was able to pull a line from the full logs corresponding to the unit sending access requests to the Radius:

2017:03:20-12:12:47 montreal ulogd[29672]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="eth1" mark="0x318d" app="397" srcmac="02:aa:29:b2:74:cf" srcip="10.x.x.59" dstip="10.y.y.245" proto="17" length="344" tos="0x00" prec="0x00" ttl="61" srcport="43518" dstport="1812" 

SRC: 10.x.x.59 is where the request is coming from over the VPN IPSec Tunnel and 10.y.y.245 is the radius behind Sophos. I also removed the SNAT rule as well.

Im not sure if this is what your looking for? Thanks

Removing the SNAT was definitely the right thing.  Please insert a picture of the rule that you believe allows this traffic.

Cheers - Bob
PS Montreal, eh.  Are you sure that other device even wants to speak English with yours? [:)]

Hello bob,

These are the rules i believe allow the traffic over the IPSec: 

(The External network is the public subnet in the AWS VPC. An elastic IP is assigned to the local IP of the External Interface)

i hope they speak English to each other :p

The fact that you're not showing a block of the RADIUS traffic indicates there's a routing problem.  Please show a picture of the Edit of "BC HQ Internal" with 'Advanced' open.

Cheers - Bob

Hello Bob,

Sorry but can you elaborate on that? Not sure what to give you a screenshot of? 

Thanks!

The Network definition in the last picture you included, Mike.

Cheers - Bob

Are you certain that that doesn't overlap with "Internal (Network)," Mike?

Cheers - Bob