Routed IPSec Tunnel - Traffic in wrong zone

Hello,

 

I've set up a routed site-to-site IPSec tunnel from my local site (Sophos XG) to an access server (OPNSense). In general I'm trying to get OSPF routing via GRE via IPSec working but for the moment I'm still stuck with the basic IPSec tunnel + fw rules.

This tunnel seems to be working in general.

As you may can see on the screenshot above:

  • Access server (OPNSense): 172.16.0.1/32
  • Local site (Sophos XG): 172.16.0.2/32

 

Now I'm trying to reach my local site from the access server:

After that I've double checked my fire wall rules:

 

Then I tried to find something in the log viewer:

 

At least the ICMP packets are arriving and are allowed to pass.

Afterwards I've checked the corresponding traffic rule and found that the the WAN rule is being applied to that traffic.

 

Finally I've checked the policies using the policy tester and found out this interesting stuff:

  1. ACS to Local Site - auto zone

 

  1. Local Site to ACS - auto zone



  2. ACS to Local Site - VPN zone


  3. Local Site to ACS - VPN zone

 

 

So I don't get it why the normal ping ACS -> Local Site is matched by rule 13. Why isn't this traffic part of the VPN zone how it's supposed to be.

Thanks in advance for your help!

 

Edit:

The fact that the traffic isn't matching the auto generated rule 39 is also quite confusing.

 

 

 

Best regards,

Elys

  • I guess, the issue is the SA.

    • Access server (OPNSense): 172.16.0.1/32
    • Local site (Sophos XG): 172.16.0.2/32

    Basically you have the same network on both sites, isnt it? 

    172.16.0.0/24? 

    So the XG will have a route to 172.16.0.0/24 on a local interface, which will overwrite the route to the remote site /32. 

     

    You should SNAT the traffic in the Tunnel.

    https://community.sophos.com/kb/en-us/123356

  • In reply to LuCar Toni:

    Hi Toni,

     

    I'm not using any 172.16/12 subnet for local networks so the only the tunnel site is using these /32 addresses of the 172.16/12 address space.

    In general I tried to avoid NAT on this tunnel in order to scope the firewall rules according to the OVPN assigned subnet.

     

    For example:

    • User 1 connects to the access server via OVPN
    • OVPN assigns the user to a specifiy subnet, e.g. 10.0.50.0/26
    • User 1 want to access certain networks / ressources on the local site (e.g. 10.1.60.0/24) and these privileges
      should be scoped by the subnet the client was assigned and according fw rules on the local site

     

    Thanks for your help!

  • In reply to Elysweyr:

    I cannot follow your query... 

    So what is the IP Address of those services? You have two Clients (/32) on both sites. 

    What you are saying is, that those Clients are not attached to XG at all?