This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG to Ubuntu 20.04 Site-to-Site IPSEC won't connect

Hello all,

I'm running an XG at my home and have an Ubuntu 20.04 host in a datacenter running strongswan ipsec.  We are unable to make a basic IPSEC site-to-site connection.  I have a server inside my home also running Ubuntu, and we can make the connection that way using port forwarding and basic firewall rules.  We would like to connect my XG to my Ubuntu server instead. I know that the XG is running strongswan too, as that is the defacto IPSEC deployment method for Linux.

Questions:

  • Is this possible?
  • Where are the IPSEC logs?
  • Which encryption methods are used in the XG IPSEC configuration?

I drew a crude document diagram of what we are trying to achieve if it is needed.

Jeff



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    As long as you configure matching IPsec policy and connection detail, it’ll work.

    Sophos XG uses the following files, located in /log/ directory, to trace the events related to IPSec: 

    File name Purpose
    strongswan.log IPSec VPN Service log
    charon.log IPSec VPN Charon (IKE daemon) log
    strongswan-monitor.log IPSec daemon monitoring log
    dgd.log Dead Gateway Detection and VPN Failover

    Please refer to KB Sophos XG Firewall: Logfile guide for all the log files available on Sophos XG.

    You can check the available/preconfigured policies or create new policies as required. Go to VPN > IPsec Policies. 

    Check out the following KBA for more info: Sophos XG Firewall: IPsec troubleshooting and most common errors.

    For basic configuration on the XG side, check out the following KBA: Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

    Thanks,

  • Awesome.  Thank-you for the logging information. You aren't going to believe this, but shortly after typing everything out I had that moment of clarity and managed to get it connected. Well, partially connected, as we still cannot ping vm's on the subnets defined in the connection and my virtual machine network can not reach the internet.  Should I start a new discussion or can we troubleshoot here?

  • FormerMember
    0 FormerMember in reply to Sophos User3835

    Hi ,

    Did you configure firewall rules on the XG firewall? You would need LAN to VPN and VPN to LAN to allow traffic across the IPsec VPN tunnel. 

    You could also run a packet capture from the GUI on the destination IP to see if traffic is routed through the correct firewall rule and interface. 

    For the internet issue, can you share the local and remote network definitions? If you added Any in the remote network, remove it and define the remote side's local network.

    Thanks,

  • Hello Harsh,

    Thank-you for responding.  I'm not doing these rules correctly or something else is wrong. Per the drawing I posted originally, here is the breakdown of my networks:

    • Ubuntu LAN: 10.8.0.0/24
    • Ubuntu VMNet:  192.168.10.0/24
    • XG LAN: 10.71.1.0/24
    • XG VMNet: 192.168.122.0/24

    I have created network objects that define these under Hosts and Services.  My current rules are basic LAN to VPN and VPN to LAN using zones. I have tried using Any for the remote network and the defined objects for the networks, but neither are working correctly.

    So far only my XG LAN can ping out to the Ubuntu VMNet.

    Jeff

  • Hi Harsh, 

    I discovered an issue in my XG.  The ipsec0 interface has a non-routable IP:

    2: ipsec0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 16260 qdisc noqueue group 0x05 nfmark 0x200 nfmark6 0x200 nettype 0 state UNKNOWN group default qlen 1000
    inet 169.254.234.5/32 scope global ipsec0

    Also, ipsec statusall shows that it is listening on that same 169.254 IP.

    # ipsec statusall

    Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.14.38, x86_64):
    uptime: 10 hours, since Feb 23 08:32:42 2021
    malloc: sbrk 4861952, mmap 0, used 683936, free 4178016
    worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7

    loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity

    Listening IP addresses:
    169.254.234.5

    I believe there is something wrong with the XG.

  • FormerMember
    0 FormerMember in reply to Sophos User3835

    Hi ,

    Thank you for the update. The IP address you see on the IPsec0 interface is the Link-local address. The XG firewall assigns this IP address if it has any of the interfaces configured to receive its IP address from the DHCP server. In my LAB, I have a working site-to-site VPN and IPsec0 interface with a Link-local address. 

    Run packet capture on XG on the IP address that you're pinging from the Ubuntu LAN and share the screenshot. 

    Thanks,

  • Harsh,

    I am attempting to ping from a host XG VMNet to a host on Ubuntu VMNet.  The ping is failing.

  • FormerMember
    0 FormerMember in reply to Sophos User3835

    Hi ,

    Thank you for the screenshot. 

    It seems the traffic is leaving the XG firewall with the correct outbound interface, and it's not dropped by the firewall. 

    If you run a packet capture on Ubuntu, do you see any traffic from XG VMNet? Also, can you provide the screenshot of NAT rule 7? 

    Thanks,

  • No we do not see anything on the Ubuntu side in tcpdump.  Here is the NAT rule #7

  • FormerMember
    0 FormerMember in reply to Sophos User3835

    Hi ,

    Thank you for the update. Please turn off this rule for testing, and share a new packet capture screenshot.

    Thanks,

  • Disabled the NAT Rule ID #7.  No change in status.  Packet capture shows my WAN IP now as source.

  • FormerMember
    0 FormerMember in reply to Sophos User3835

    Hi ,

    Try to clear the conntrack entry from Advanced Shell for the source using the following command and run the packet capture: 

    conntrack -D -s <SourceIP>

    Thanks,

Reply Children
No Data