This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site ESPdump

Hello Sophos community,

 

Currently i have one issue with a site to site VPN from my sophos SG450. The IPsec tunnel stay's up and is very stable but traffic inside the tunnel is dropping. i already requested help from sophos take a TCP dump on both firewall (mine and peer) and after they compare the TCP dump they say there is a 5 second delay when i receive the ping reply. Now i try to capture espdump and see if i can see somenthing inside the tunnel and find a route cause for this. I followed the guide posted by sophos on how to decrypt esp packets in wireshark but what i found is that when i open the pcap file in wireshark the SPI are different than the SPI i found in the pcap.sa file. (from the guide the SPI must be the same)

 

Also the ESPdump was done in a meeting with one sophos engineer.

 

Can somebody help me understand why because i cannot decrypt that espdump?

 

Thank you!

 



This thread was automatically locked due to age.
Parents
  • Hallo Andrei,

    Please show the command you used to generate the pcap file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

     

    the comand use to generate the espdump is 

    • espdump -n --conn REF_xxxxxxxx -s0 -w xxx(name).pcap

    also for pcap.sa file i use cat command

     

    I found the resolve to my issue but i don't understand why is behaving like this:

     

    I have one Site to Site IPsec tunnel to one of my customer and the issue is as follow. i need to access 4 private host's from his side, 192.168.x.x. When i create the tunnel i put those 4 host's in the remote gateway tab and it created 4 SA to the customer. The tunnel got up immediate and is very stable but when i ping from my internal ip 10.231.x.x to 192.168.x.x(customer internal ip) i have huge packet loss.

    Below i tried the following test's with no result:

    • First test is as following in the Phase 2 SA i only added one connection from one loopback address 10.100.2.1/32 to the loopback address created on the client Fortigate firewall 10.100.1.1/32 and the ping is working without fail, no drop at all.
    • Second test is on the Phase 2 SA I added another ip from customer network so the SA looked like loopback address from our side 10.100.2.1/32 to loopback address on the client network 10.100.1.1/32 and one private ip from customer network 192.168.x.x/32 and the ping is not working neither on the loopback address or the client private IP
    • Third test is  on Phase 2 SA I leaved again only our loopback address 10.100.2.1/32 to client private network ip 192.168.x.x/32 and ping succesfull without packet loss.
    • I created another tunnel to one of our fortigate firewall , so connection was from forti to forti, we used other public ip from our side 172.16.x.x/32 to customer network and all is working fine, ping with no packet lost and added 4 SA in phase 2. We can remove the routing issue on their side.
    • Fifth test is was to do a full nat from Sophos to client fortigate, same issues packet lost.

     

    I think there is a bug between those 2 devices or something is happening. Please support to resolve this case.

     

    I found a resolve with customer to NAT his private host's (4 in total) 192.168.x.x to 10.100.x.x and in the Phase 2 SA i added 10.100.x.x/29 to create only one SA and the ping is working without any problem.

     

    But my question what is the root cause of this issue?

     

    thanks!

     

     

  • Is #7 in Rulz helpful?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data