We'd love to hear about it! Click here to go to the product suggestion community
I've set up a routed site-to-site IPSec tunnel from my local site (Sophos XG) to an access server (OPNSense). In general I'm trying to get OSPF routing via GRE via IPSec working but for the moment I'm still stuck with the basic IPSec tunnel + fw rules.
This tunnel seems to be working in general.
As you may can see on the screenshot above:
Now I'm trying to reach my local site from the access server:
After that I've double checked my fire wall rules:
Then I tried to find something in the log viewer:
At least the ICMP packets are arriving and are allowed to pass.
Afterwards I've checked the corresponding traffic rule and found that the the WAN rule is being applied to that traffic.
Finally I've checked the policies using the policy tester and found out this interesting stuff:
So I don't get it why the normal ping ACS -> Local Site is matched by rule 13. Why isn't this traffic part of the VPN zone how it's supposed to be.Thanks in advance for your help!
The fact that the traffic isn't matching the auto generated rule 39 is also quite confusing.
I guess, the issue is the SA.
Basically you have the same network on both sites, isnt it?
So the XG will have a route to 172.16.0.0/24 on a local interface, which will overwrite the route to the remote site /32.
You should SNAT the traffic in the Tunnel.
In reply to LuCar Toni:
I'm not using any 172.16/12 subnet for local networks so the only the tunnel site is using these /32 addresses of the 172.16/12 address space.
In general I tried to avoid NAT on this tunnel in order to scope the firewall rules according to the OVPN assigned subnet.
Thanks for your help!
In reply to Elysweyr:
I cannot follow your query...
So what is the IP Address of those services? You have two Clients (/32) on both sites.
What you are saying is, that those Clients are not attached to XG at all?