I'm running an XG at my home and have an Ubuntu 20.04 host in a datacenter running strongswan ipsec. We are unable to make a basic IPSEC site-to-site connection. I have a server inside my home also running Ubuntu, and we can make the connection that way using port forwarding and basic firewall rules. We would like to connect my XG to my Ubuntu server instead. I know that the XG is running strongswan too, as that is the defacto IPSEC deployment method for Linux.
I drew a crude document diagram of what we are trying to achieve if it is needed.
Hi Sophos User3835,
Thank you for reaching out to the Community!
As long as you configure matching IPsec policy and connection detail, it’ll work.
Sophos XG uses the following files, located in /log…
Sophos XG uses the following files, located in /log/ directory, to trace the events related to IPSec:
Please refer to KB Sophos XG Firewall: Logfile guide for all the log files available on Sophos XG.
You can check the available/preconfigured policies or create new policies as required. Go to VPN > IPsec Policies.
Check out the following KBA for more info: Sophos XG Firewall: IPsec troubleshooting and most common errors.
For basic configuration on the XG side, check out the following KBA: Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Awesome. Thank-you for the logging information. You aren't going to believe this, but shortly after typing everything out I had that moment of clarity and managed to get it connected. Well, partially connected, as we still cannot ping vm's on the subnets defined in the connection and my virtual machine network can not reach the internet. Should I start a new discussion or can we troubleshoot here?
Hi Sophos User3835,
Did you configure firewall rules on the XG firewall? You would need LAN to VPN and VPN to LAN to allow traffic across the IPsec VPN tunnel.
You could also run a packet capture from the GUI on the destination IP to see if traffic is routed through the correct firewall rule and interface.
For the internet issue, can you share the local and remote network definitions? If you added Any in the remote network, remove it and define the remote side's local network.
Thank-you for responding. I'm not doing these rules correctly or something else is wrong. Per the drawing I posted originally, here is the breakdown of my networks:
I have created network objects that define these under Hosts and Services. My current rules are basic LAN to VPN and VPN to LAN using zones. I have tried using Any for the remote network and the defined objects for the networks, but neither are working correctly.
So far only my XG LAN can ping out to the Ubuntu VMNet.
I discovered an issue in my XG. The ipsec0 interface has a non-routable IP:
2: ipsec0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 16260 qdisc noqueue group 0x05 nfmark 0x200 nfmark6 0x200 nettype 0 state UNKNOWN group default qlen 1000 inet 169.254.234.5/32 scope global ipsec0
Also, ipsec statusall shows that it is listening on that same 169.254 IP.
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.14.38, x86_64): uptime: 10 hours, since Feb 23 08:32:42 2021 malloc: sbrk 4861952, mmap 0, used 683936, free 4178016 worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity
Listening IP addresses: 169.254.234.5
I believe there is something wrong with the XG.
Thank you for the update. The IP address you see on the IPsec0 interface is the Link-local address. The XG firewall assigns this IP address if it has any of the interfaces configured to receive its IP address from the DHCP server. In my LAB, I have a working site-to-site VPN and IPsec0 interface with a Link-local address.
Run packet capture on XG on the IP address that you're pinging from the Ubuntu LAN and share the screenshot.
I am attempting to ping from a host XG VMNet to a host on Ubuntu VMNet. The ping is failing.
Thank you for the screenshot.
It seems the traffic is leaving the XG firewall with the correct outbound interface, and it's not dropped by the firewall.
If you run a packet capture on Ubuntu, do you see any traffic from XG VMNet? Also, can you provide the screenshot of NAT rule 7?
No we do not see anything on the Ubuntu side in tcpdump. Here is the NAT rule #7
Thank you for the update. Please turn off this rule for testing, and share a new packet capture screenshot.
Disabled the NAT Rule ID #7. No change in status. Packet capture shows my WAN IP now as source.
Try to clear the conntrack entry from Advanced Shell for the source using the following command and run the packet capture:
conntrack -D -s <SourceIP>