This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius over IPSec Site-to-Site

Hello,

I've been bashing my head against this issue for a few days and finally need to ask for some help. I have a network created in AWS which uses a Sophos UTM for all connections into the VPC. I'm not using the AWS VPN Tunnel for VPC.

The Sophos is connected to our SonicWall in the HQ using a Site-To-Site IPSec tunnel and all connections are up on both sides. Traffic is flowing no problem. The issue occurs when i try to send RADUIS authentication traffic from the HQ to the VPC in AWS through Sophos. I cannot see any traffic on the sophos side.

 

I created a SNAT rule on the sophos. The Firewall Logs show the traffic hit the Firewall. But still no traffic hitting the Server through Sophos.

 

Note: If i connect the AWS tunnel to my firewall in the HQ the radius traffic works... its only when going through the Sophos.



This thread was automatically locked due to age.
Parents
  • Hi, Mike, and welcome to the UTM Community!

    I can't "see" your topology behind the UTM.  I assume that the UTM is at the edge of your VPC, or???  In any case, I can't imagine that your SNAT works - what had you intended to do with it?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

    Yes thats correct it is at the edge. All traffic is being pushed to the Sophos appliance. The SNAT doesn't seem to work no... this is what i found on the forums here to try and fix the problem. That didnt fix the issue so im seeking for additional help on the problem :). I was trying to make sure that RADIUS traffic actually made it to the radius server over the IPSec tunnel.

  • I'm fairly certain you just want to delete the SNAT rule, but show us a line from from the full Firewall log file corresponding to one in your opening post.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Instead of totally hiding IPs, just obfuscate them enough to stay safe but in a way that lets us understand what we're seeing.  10.x.y.31 instead of 10.10.10.31.  192.168.x.31, 96.x.y.102, etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Thanks for the quick reply. I was able to pull a line from the full logs corresponding to the unit sending access requests to the Radius:

    2017:03:20-12:12:47 montreal ulogd[29672]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="eth1" mark="0x318d" app="397" srcmac="02:aa:29:b2:74:cf" srcip="10.x.x.59" dstip="10.y.y.245" proto="17" length="344" tos="0x00" prec="0x00" ttl="61" srcport="43518" dstport="1812" 
    

    SRC: 10.x.x.59 is where the request is coming from over the VPN IPSec Tunnel and 10.y.y.245 is the radius behind Sophos. I also removed the SNAT rule as well.

    Im not sure if this is what your looking for? Thanks

Reply
  • Hello Bob,

    Thanks for the quick reply. I was able to pull a line from the full logs corresponding to the unit sending access requests to the Radius:

    2017:03:20-12:12:47 montreal ulogd[29672]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="eth1" mark="0x318d" app="397" srcmac="02:aa:29:b2:74:cf" srcip="10.x.x.59" dstip="10.y.y.245" proto="17" length="344" tos="0x00" prec="0x00" ttl="61" srcport="43518" dstport="1812" 
    

    SRC: 10.x.x.59 is where the request is coming from over the VPN IPSec Tunnel and 10.y.y.245 is the radius behind Sophos. I also removed the SNAT rule as well.

    Im not sure if this is what your looking for? Thanks

Children
  • Removing the SNAT was definitely the right thing.  Please insert a picture of the rule that you believe allows this traffic.

    Cheers - Bob
    PS Montreal, eh.  Are you sure that other device even wants to speak English with yours? [:)]

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello bob,

    These are the rules i believe allow the traffic over the IPSec: 

    (The External network is the public subnet in the AWS VPC. An elastic IP is assigned to the local IP of the External Interface)

    i hope they speak English to each other :p

  • The fact that you're not showing a block of the RADIUS traffic indicates there's a routing problem.  Please show a picture of the Edit of "BC HQ Internal" with 'Advanced' open.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Sorry but can you elaborate on that? Not sure what to give you a screenshot of? 

    Thanks!

  • The Network definition in the last picture you included, Mike.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Are you certain that that doesn't overlap with "Internal (Network)," Mike?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No they dont. The network internal is 10.0.x.x and the VPC is 10.100.x.x. As mentioned earlier, traffic is flowing between both networks and connectivity is good. The only thing that stopped working when i introduced the Sophos was the radius authentication traffic. this is where im stumped at the moment.

  • It has to be a routing problem, Mike, so I think you're stuck with using tcpdump and espdump.

    To use espdump, you first need to know the REF of the IPsec Connection object.  Say the name assigned to it was "Home Office."  Run the following as root at the command line

    cc get_object_by_name 'ipsec_connection' 'site_to_site' 'Home Office'|grep 'ref'

    If that returns REF_IpsSitHomeOffice, watch traffic in the tunnel with:

    espdump -n --conn REF_IpsSitHomeOffice -vv

    Any luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA