IPSec Mikrotik to Sophos problem

Good day,

 

I am hoping to get some assistance with my issue.

I have set up a IPSec tunnel from a Mikrotik to my Sophos XG Firewall, it Avtivates and Connects successfully and from the Mikrotik and local network behind the Mikrotik I ping back to the Sophos Firewall and local network behind the Sophos Firewalol, but from the Sophos Firewall I cannot ping the Mikrotik or anything behind the Mikrotik

I have gone through various HowTo's and set up my LAN-VPN and VPN-LAN Firewall Rules with and without NAT, depending on the HowTo, but have been unsuccessful.

I have checked the logs and I can see the traffic coming in through the IPSec tunnel, but nothing going back out the IPSec tunnel

See screenshots below for Sophos set up

Any assistance would be much appreciated

  • Hello Timothy,

     

    The IPSec configurations and Firewall rules seems to be fine. In your case, it seems to be the problem on the remote side where Mikrotik is deployed. A packet capture/tcpdump would be really helpful. Please initiate a continuous ping to any of the machine connected in the Mikrotik LAN and start the tcpdump on XG Firewall.

     

    console>tcpdump 'host <Source IP address> and host <destination IP address>

     

    -Asad

  • In reply to AsadulHasan:

    Thanks Asad for the response, I have run a TCPDump while running a Continuous ping, see results below

    For security I have replaced the Mikrotik External IP with MT_External_IP, Mikrotik Internal IP with MT_Internal_IP and the Sophos External IP with SF_External_IP

    I have trimmed down the continuous ping as well

     

    To me it seems that the Sophos Firewall doesn't know how to route the traffic through the IPSec tunnel

     

    tcpdump: Starting Packet Dump
    10:16:09.377643 Port2, OUT: IP SF_External_IP.500 > MT_External_IP.500: isakmp: phase 2/others ? infEmail
    10:16:09.421766 Port2, IN: IP MT_External_IP.500 > SF_External_IP.500: isakmp: phase 2/others ? infEmail
    10:16:11.188430 Port2, IN: IP MT_External_IP.44679 > SF_External_IP.3478: UDP, length 28
    10:16:12.079370 Port2, IN: IP MT_External_IP.53144 > SF_External_IP.3478: UDP, length 28
    10:16:21.210771 Port2, IN: IP MT_External_IP.53893 > SF_External_IP.3478: UDP, length 28
    10:16:37.812752 Port2, IN: IP MT_External_IP.500 > SF_External_IP.500: isakmp: phase 2/others ? infEmail
    10:16:37.813051 Port2, OUT: IP SF_External_IP.500 > MT_External_IP.500: isakmp: phase 2/others ? infEmail
    10:16:39.190238 Port2, IN: IP MT_External_IP.500 > SF_External_IP.500: isakmp: phase 2/others ? infEmail
    10:16:39.190426 Port2, OUT: IP SF_External_IP.500 > MT_External_IP.500: isakmp: phase 2/others ? infEmail
    10:16:41.190847 Port2, IN: IP MT_External_IP.44679 > SF_External_IP.3478: UDP, length 28
    10:16:42.079861 Port2, IN: IP MT_External_IP.53144 > SF_External_IP.3478: UDP, length 28
    10:16:51.210602 Port2, IN: IP MT_External_IP.53893 > SF_External_IP.3478: UDP, length 28
    10:17:09.233586 Port2, OUT: IP SF_External_IP.500 > MT_External_IP.500: isakmp: phase 2/others ? infEmail
    10:17:09.284324 Port2, IN: IP MT_External_IP.500 > SF_External_IP.500: isakmp: phase 2/others ? infEmail
    10:17:11.190744 Port2, IN: IP MT_External_IP.44679 > SF_External_IP.3478: UDP, length 28
    10:17:12.096564 Port2, IN: IP MT_External_IP.53144 > SF_External_IP.3478: UDP, length 28
    10:17:21.213072 Port2, IN: IP MT_External_IP.53893 > SF_External_IP.3478: UDP, length 28
    10:17:39.321636 Port2, OUT: IP SF_External_IP.500 > MT_External_IP.500: isakmp: phase 2/others ? infEmail
    10:17:39.363194 Port2, IN: IP MT_External_IP.500 > SF_External_IP.500: isakmp: phase 2/others ? infEmail
    10:17:41.299845 Port2, IN: IP MT_External_IP.44679 > SF_External_IP.3478: UDP, length 28
    10:17:42.084685 Port2, IN: IP MT_External_IP.53144 > SF_External_IP.3478: UDP, length 28

    21 packets captured
    21 packets received by filter
    0 packets dropped by kernel

     

    Pinging MT_Internal_IP with 32 bytes of data:
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.
    Reply from SF_External_IP: Destination host unreachable.

    Ping statistics for MT_Internal_IP:
    Packets: Sent = 186, Received = 185, Lost = 1 (0% loss),

  • In reply to Timothy Jee:

    Hello Timothy,

     

    The tcp dump shows the IPSec SA agreements. Once the tunnel is up and established, you don't have to worry about the external IP addresses. Please set the tcpdump filter as 

     

    console>tcpdump <Internal IP address of Host in Mikrotik LAN> and proto ICMP

     

    Please keep the pings running destined to Internal IP address of Host in Mikrotik LAN

  • In reply to AsadulHasan:

    See below results of tcpdump as requested

     

    tcpdump: Starting Packet Dump
    10:46:35.862321 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16684, length 40
    10:46:35.862384 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16684, length 40
    10:46:36.867166 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16685, length 40
    10:46:36.867231 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16685, length 40
    10:46:37.879038 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16686, length 40
    10:46:37.879104 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16686, length 40
    10:46:38.888487 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16687, length 40
    10:46:38.888552 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16687, length 40
    10:46:39.898190 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16688, length 40
    10:46:39.898265 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16688, length 40
    10:46:40.909958 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16689, length 40
    10:46:40.910023 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16689, length 40
    10:46:41.919481 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16690, length 40
    10:46:41.919548 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16690, length 40
    10:46:42.925226 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16691, length 40
    10:46:42.925288 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16691, length 40
    10:46:43.936256 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16692, length 40
    10:46:43.936327 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16692, length 40
    10:46:44.942163 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16693, length 40
    10:46:44.942226 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16693, length 40
    10:46:45.950182 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16694, length 40
    10:46:45.950246 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16694, length 40
    10:46:46.959317 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16695, length 40
    10:46:46.959388 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16695, length 40
    10:46:47.969077 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16696, length 40
    10:46:47.969145 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16696, length 40
    10:46:48.978104 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16697, length 40
    10:46:48.978174 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16697, length 40
    10:46:49.984104 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16698, length 40
    10:46:49.984170 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16698, length 40
    10:46:54.628298 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16699, length 40
    10:46:54.628367 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16699, length 40
    10:46:55.636717 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16700, length 40
    10:46:55.636780 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16700, length 40
    10:46:56.647410 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16701, length 40
    10:46:56.647474 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16701, length 40
    10:46:57.656857 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16702, length 40
    10:46:57.656929 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16702, length 40
    10:46:58.665995 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16703, length 40
    10:46:58.666068 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16703, length 40
    10:46:59.674789 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16704, length 40
    10:46:59.674854 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16704, length 40
    10:47:00.679944 Port1, IN: IP SF_Internal_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16705, length 40
    10:47:00.679983 Port2, OUT: IP SF_External_IP > MT_Internal_IP: ICMP echo request, id 1, seq 16705, length 40

    44 packets captured
    51 packets received by filter
    0 packets dropped by kernel

  • In reply to Timothy Jee:

    Thank for the logs Timothy, the issue seems to be with the routing table of XG Firewall. Please check if you have any static routes or policy routes configured for the destination network, The XG Firewall is forwarding the traffic to WAN interface i.e. Port 2 instead ipsec0 vitual interface. It should be showing Port1 as IN and IPSec0 as Outgoing interface so i am suspecting the IPsec routes are missing or there any other routes with higher priority.

    You can try creating a new VPN configuration or add the IPsec route manually or open a case with sophos technical support.

    Here's the command to add the route manually:

     

    console> system ipsec_route add net <REMOTE LAN NETWORK> tunnelname <IPSec Tunnel Name>

    REMOTE LAN NOTWORK SHOULD BE IN THIS FORMAT: 192.168.50.0/255.255.255.0

  • In reply to AsadulHasan:

    Thanks Asad, I thought this would be the case as well, I will go through my Policy Routing and set this IPSec route manually.

    I had tried setting it manually, but must have gotten the settings wrong, will give it another go

     

    Many thanks for the assistance

    Timothy

  • In reply to Timothy Jee:

    Timothy,

     

    By default XG gives highest priority to the Policy routes. 

     

    Try changing the route precedence if you have got any Policy Routes configured:

    console> system route_precedence set vpn policyroute static

  • In reply to AsadulHasan:

    Thank you Asad, that has sorted out my issue