Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

Keine Daten durch IPsec Tunnel

Hallo,

 

ich habe eine IPsec Verbindung zwischen einer XG86 und einer SG210 erfolgreich aufgebaut. Ich habe in der XG die Firewall Regeln laut Anleitung angelegt. Die Regeln in der SG habe ich automatisch anlegen lassen. 

 

Leider gehen keinerlei Daten durch den Tunnel. 

  • Hi Jan-Niklas Keese,

    Could you please share screenshot of your firewall rules for the VPN? 

    If tunnel has been established, I think it would be the firewall rule issue or static route is sending all the traffic through WAN interface. 

    Thanks,

  • In reply to H_Patel:

    Hi,

     

    here are the FW rules:

    I took a look at the Routing's, there is no static root.

  • In reply to Jan-Niklas Keese:

    Hi  

    Could you please try to remove the source and destination network from LAN to VPN and VPN to LAN firewall rule and verify?

    You may also use packet capture utility to capture traffic coming from the VPN tunnel = https://community.sophos.com/kb/en-us/130140

  • In reply to Keyur:

    Hi Keyur,

     

    sorry don't understand. What should I put in? Any?

  • In reply to Jan-Niklas Keese:

    Hi  

    Please put ANY for the testing purpose to if the traffic is getting through or not.

  • In reply to Keyur:

    Hi,

    I did, but didnt changed anything. Looks like this now:

     

  • In reply to Jan-Niklas Keese:

    Hi  

    Could you please try the packet capture utility, I have shared in the previous response.

  • In reply to Keyur:

    Hi,

     

    i did allready:

    Ethernet header
    Source MAC address:c8:1f:66:b6:28:e8
    Destination MAC address: 7c:5a:1c:d4:d3:1c
    Ethernet type IPv4 (0x800)
     
    IPv4 Header
    Source IP address:192.168.208.3
    Destination IP address:192.168.201.8
    Protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 52 Bytes
    Identification:42798
    Fragment offset:16384
    Time to live: 127
    Checksum: 14904
     
    TCP Header:
    Source port: 52300
    Destination port: 3389
    Flags: SYN
    Sequence number: 1607317669
    Acknowledgement number: 0
    Window: 64240
    Checksum: 26565

     

  • In reply to Jan-Niklas Keese:

    FYI the xg is behind a fritzbox without any portforwoarding. 

    I dont have access to the box, this why i initiated the connection from the xg

  • In reply to Jan-Niklas Keese:

    Hi  

    The RDP traffic is forwarding to rule ID 5, could you please confirm what is the rule ID 5. You can also capture the packet at the SG end or initiate the traffic from XG and try to capture packet on the IP from where the traffic behind SG has been initiated.

  • In reply to Keyur:

    Hi,

     

    i dont see the package incoming in the SG. The Rule ID 5 is the outgoing rule for VPN.

    I think its a routing problem. Because the XG Show in log "Out Interface" Port 2 which is the WAN interface, shouldnt it a vpn interface?

  • In reply to Jan-Niklas Keese:

    Hi  

    In one of your previous comment you have informed us that you have initiated the connection of remote IPsec LAN from XG.

    Remote VPN network you can not test from XG without manual IPSec route. ( As route must needed then only XG initiated traffic will be submitted to ipsec).

    You may generate a PING from any machine which is part of LAN network ( which is define inside the tunnel ) and check the tcpdump which you have captured on UI, for traffic which is generate from LAN machine you will be able to see out interface ipsec0 and LAN to VPN rule id if the rule settings fine.