Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 15268 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN Site to Site is Active, Services set to ANY but both end computer is not PINGING with each other (SG - XG)

Proudmore

Hi Sophos Community

Good Day

This is the scenario

SG is the branch office and XG is the HQ

The tunnel between SG and XG is active but you cannot ping any of the end computer on both sides. Both parties Firewall rule SERVICES are set to ANY

ON SG FWALL please refer to screenshot

 

 

UNDER XG FWALL please refer to this

 



This thread was automatically locked due to age.
  • 0

    It looks to me as if you're not specifying the networks correctly in your IPSEC settings.  Your Local Subnet and Remote subnet on the XG side only specify one computer on each side - probably your endpoints.  If the SG is the same, then no traffic will flow as no networks have been defined.

     

    When setting up IPSEC site to site, your Remote Gateway defines the endpoints at each end of the IPSEC connection, but it also defines the networks allowed access through it.  I suggest you check this article...

     

    https://community.sophos.com/kb/en-us/127030

     

  • 0 in reply to Shaun Raven

    Hi Sir Shaun,

    Good Day

    Correct me if I'm wrong

    - Do you mean on the "REMOTE NETWORKS" Both SG and XG will be the the NETWORK not the HOSTS?
          * In my scenario the Remote Network are the HOSTS on both end of XG and SG.

    - Summary of WRONG CONFIGURATIONS???
          * Remote Network SG and XG will be Network NOT the HOSTS on both end.

    Gracias Senior

  • 0 in reply to Proudmore

    Hi Kunkka,

    When you setup an IPSEC site to site VPN you need to define two things.  The first are the two ends of the site to site connection - these are usually the external IP's of the UTMs or Routers that will establish the connection.  The second are the networks at each site that need to transfer traffic across the site to site VPN tunnel you will create.

    For example....

    Site A has a UTM with an external IP of x.x.x.x, and a network of 192.168.1.0/24.

    Site B has a UTM with an external IP of y.y.y.y, and a network of 10.10.10.0/24.

    In your gateway settings on Site A, you setup a gateway connection with a gateway of x.x.x.x, and a remote network of 192.168.1.0/24

    In your gateway settings on Site B, you setup a gateway connection with a gateway of y.y.y.y, and a remote network of 10.10.10.0/24.

     

    Once established, you'll need to make sure you have firewall access rules on both sides allowing site A's network to talk to Site B's Network

    Hope that makes it a bit clearer.

  • 0 in reply to Shaun Raven

    Hi Sir Shaun,

    Good Day

    This SG - XG Scenario is just a laboratory to test the IPSec VPN.

    This is the Actual Scenario. Sophos SG < > Other Firewall - not sure want brand they use

    In SG - which is in the branch Area
    Other Firewall - which is the HQ

    Meanwhile In the HQ side:
                      - They ALWAYS INSIST that the Remote Area will be the HOST IP NOT the NETWORK that's why we mirror the config from the HQ side
                      - They use this setup for all of the IPSec VPN (S2S) connections
                      - FTP connection was successful before but now NO connection between HQ and Branch Office that's  why we try to establish SG to XG just to try the IPSec VPN connection

    That the Whole Story Sir.

    Btw Sir, Thank you for elaborating your explanation. I muchly appreciated

    Gracias 

  • 0 in reply to Proudmore

    From what you've told me, I think you need to talk to the tech guys at your head office.  All the IPSEC S2S connections I've done have required remote networks to be entered, so I'm not sure how they intend you to route traffic.  Maybe someone else has encountered this?

     

  • 0

    Kunkka, You're close...

    I'm not familiar with XG, so my specific instructions will concern only WebAdmin and the UTM.  Having said that, your configuration looks correct for the XG side of the tunnel.

    If you want the all members of "Internal (Network)" to be able to reach the two IPs behind the XG, DO NOT select 'Strict routing' in the IPsec Connection.   You also will need a NAT rule:

    SNAT : Internal (Network) -> Any -> {Group with two remote hosts} : from {192.168.254.100}

    From your explanation, it doesn't sound like you need/want a similar rule in the XG

    Note that the "Any" Service only includes TCP and UDP.  It does NOT include any other IP Protocols.  I don't know if the same is true in the XG.

    Pinging is regulated on the 'ICMP' tab of 'Firewall'.  If you still see a ping blocked in the firewall log, you will need to make an Allow rule using the "Ping" service object.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Sir BAlfson,

    Good day

    Can you help me determine what are the network objects to put in SNAT Rule under UTM 9.

    Matching Condition

    For traffic from:  192.168.254.100
    Using Service:any
    Going to: 10.10.11.71 and 192.168.100.2

    Action:

    Change the source to: 173.225.x.x
    And the service to: any

     

    Summary config

    XG Firewall

    Public IP: 119.93.x.x

    Local Hosts: 10.10.11.71 and 192.168.100.2

    SG Fwall

    Pub IP: 173.225.x.x
    Local Host: 192.168.254.100

    Thank you Sir

  • 0 in reply to Proudmore

    Everything looks correct except:

    Change the source to: 192.168.254.100

    (not 173.225.x.x)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Sir BAlfson,

    Good Day


    For traffic from:  192.168.254.100

    is the same AS

    and change the source to: 192.168.254.100

     

     

    PS
    Please accept by deepest thanks for accommodating my questions 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?