Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 36960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Site to Site

DMR188

Has anyone setup an IPSEC Site to Site VPN yet?  I have everything set and am connecting (Even though it will only connect 1 network and not all, but thats a different issue) to the remote firewall.  Everything shows green in Settings/VPN/IPsec.  However, I noticed the automatic firewall rule has been removed from the VPN setup.  So I'm not able to communicate across the tunnel (mainly printing) and am guessing i need to put in a firewall rule to allow that communication to the remote network and vice-versa.  Can anyone help out with what that rule should be?

Thanks



This thread was automatically locked due to age.
  • 0
    You have to setup a policy to allow Traffic from Zone LAN to Zone VPN if you want to allow Traffic into the VPN Network.
  • 0
    Hi DMR188,

    If I remember well is needed too to add in device console command for ipsec route and no NAT command. It was discussed in Partner Beta forum but its unfortunately not available now for known reason ...

    The command for ipsec static route is "console> system ipsec_route add net A.B.C.D/P.Q.R.S tunnelname "ipsec tunnelname" " but I do not remember to command for no NAT in ipsec tunnel.

    alda
  • 0
    I have the same problem with an IPsec connection between a XG85w and a UTM SG135. Both firewall reports that the tunnel is up and running but traffic will not cross the vpn tunnel. It is not a gateway problem on the network clients. All is setup propper on the clients. An IPsec tunnel between this UTM and a second another UTM is running fine. I have tested many different Policies settings on the XG85 but without any success. A traceroute "ends" on the XG85. No errors will be reported in the logfiles. Just nothing. Form me it seems that the XG85 firmware has a bug. Doe's some else has a working IPsec tunnel running on a XG85? If so can you please report how the setup is made to verify with my setup? Thanks a lot in advance!
  • 0 in reply to thausmann

    I also have this problem on the XG85 and i discoverd its because of the IPSEC policy.

    If you use the Branchoffice IPSEC vpn policy on the XG.

    And use the following policy on the Sophos UTM:

    I can ping though the VPN.

    As soon as i change on both sides one setting on this policy the vpn will get up but does not allow any traffic through. (Like: IKE encryption both sides to AES 192)

  • 0 in reply to Blao
    Hi, thank you for the replay. Iwill test this soon. Currently i have a IPsec policy of:
    AES256 with SHA2 256 and Group 2 MODP 1024.
  • 0 in reply to thausmann
    Hi Blao, you saved my life!!! Many many thanks for this replay, with this IPsec Policy it is working! So it seems like I already suspected, the XG firewall has some bugs in in the firmare or so.
    Thank's a lot again!
  • 0
    The post reported from Blao is the solution. But it shows also that the XG firewall firmware has a bug. At least in the IPsec VPN connections / IPsec policies, or so.
  • 0 in reply to Ibeme
    I also found you have to create a policy allowing VPN > LAN on each end as well.
  • 0

    Would you be so kind as to confirm what the policy looked like?

    I have successfully got a IPsec VPN running in terms of connecting, but its not passing traffic. I cant ping either end from the boxes.

    I have the following.

    Thanks.

    Identity - match rule based on user ID, = off

    Source

    Zone = LAN and VPN

    Networks = Any

    Services = Any

    Schedule = All the time

    Destination

    Zone = LAN and VPN

    Networks = Any

    Services = Any

    Schedule = All the time

    Action = accept

    everything else is standard or off.

    Sophos XG Certified Administrator

  • 0 in reply to RichardPhillips

    Basically that's what my setup is. Except I have two separate policies for traffic going to the VPN and coming from the VPN. Instead of Source Zone LAN and VPN I use Source zone LAN, Destination Zone VPN, then another police Source Zone VPN, Destination Zone LAN.

Unfiltered HTML