This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec split tunneling problem

Hi community,

I am facing a problem when i try to tunnel only the traffic to my internal network and other traffic like the internet forwarded to user's remote gateway, in the IPsec remote access section i disabled "make the firewall the default gateway" and entered only the networks that i want to tunnel through the vpn tunnel but its not working.when i connect using sophos connect GUI i can't have access to anything neither the internet nor the remote networks behind the firewall.

Ofcourse i created a firewall rule to allow traffic from the IPSEC IP RANGE and VPN zone to access the desired network with a linked NAT with MASQ as the source.

THANKS for the HELP GUYS!!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Please ensure that you've imported .scx file to the Sophos Connect client from IPsec remote access connection.

    Can you please check the tracert output to any internal resource?

    If you're checking ICMP connectivity to the internal resource, then please check the packet capture(DIagnostics > Packet capture) on XG.

    Use BPF string: host <Sophos connect client IP> and proto ICMP

    eg. host 10.10.10.10 and proto ICMP

    If you're able to see the packets then you may try to link a NAT rule to VPN to LAN firewall rule with default MASQ as SNAT.

  • Hi,

    it still the same problem i only routed 192.168.1.0/24 through the vpn tunnel.i am using the .scx file.

    when i connect i get traffic to internet except for that specific route that passess through the IPSEC TUNNEL.

    I have configured a firewall rule to allow traffic from my IPSEC VPN RANGE to 192.168.1.0/24 and linked a NAT rule with MASQ as SNAT.

     THANK YOU FOR YOUR HELP.

  • FormerMember
    0 FormerMember in reply to Youcef Rahmouni

    Can you please check the routing table on the end machine after connecting the Sophos Connect client?

    Run the below command in cmd and confirm whether the route for 192.168.1.0/24 network is present under 'IPv4 Route Table' or not.

    C:\Users\Admin>route print

    Also, please ensure that the home network isn’t same as XG local network 192.168.1.0/24

  • I checked the routing table and here is the result : 

    note that my local network is 192.168.43.0/24 with the gateway 192.168.43.1 and the remote newtwork behind the firewall is 192.168.14.0/24. the tracert to that network is not showing any HOPs ip addresses.

    Thanks in advance. 

  • FormerMember
    0 FormerMember in reply to Youcef Rahmouni

    Route table looks good.

    Your machine has assigned with 10.10.10.1 IP address by Sophos COnnect client.

    Request to please follow the below steps and share your observation:

    Assuming 192.168.14.3 IP is live and is reachable(ICMP) from the XG firewall.

    ==> Go to Diagnostics > Packet capture and put BPF string as below.

    BPF string: host 192.168.14.3 and proto ICMP

    => In SSH session, run below command to capture drop packets.

    console> drop-packet-capture 'host 192.168.14.3 and proto ICMP

    ==> Connect Sophos connect client from end user machine and ping 192.168.14.3 with below command.

    C:\Users\Admin>ping -n 1 192.168.14.3

    ==> Check the packet capture and share a snapshot of it.

    I'd also request you to once verify in other client machine.

    Could you also please post a snapshot of the firewall rule configuration?

  • For the BPF string the output is as follows:

    in the ssh session nothing is displayed while pinging from the remote device :

    th ping result : 

    I verified in another machine and it still the same problem : 

    the firewall rules are as follows : 

    IPSec range is : 10.10.10.1 --> 10.10.10.100

    and destination VLAN is : 192.168.14.0/24

    NAT rule id 16 is as follows : 

    and here is a firewall log : 

    the firewall rule 13 is the one show above.

    THANK YOU FOR YOUR HELP.

  • FormerMember
    0 FormerMember in reply to Youcef Rahmouni

    As per the packet capture, the reply packet is being forwarded over PortC interface instead of ipsec0.

    Do you have any static route or SD-WAN policy configured?

    Can you please perform a 'Route lookup' from Diagnostics > Tools for 10.10.10.x network after connecting Sophos Connect client?

    Also, please share output of the below command from CLI.

    Login to SSH > 5.  Device Management > 3.  Advanced Shell

    # ip route list

  • I don't have any SD-WAN configured 

    I have a default route  through my public ip address configured on PORTC 

    the 'Route lookup' from Diagnostics > Tools for 10.10.10.x showed me 10.10.10.1 is on PORTC (default route) and it is behind a router.

    but when i do this from my other xg firewall that have tunnel all option for ipsec enabled it show my that my ipsec range is on interface ipsec0.

    #iproute list showed me : 

    the blacked ip address are my public ip address.

  • FormerMember
    0 FormerMember in reply to Youcef Rahmouni1

    XG doesn't require a default route. It automatically routes unknown network traffic from the WAN interface.

    You may delete a default route or can follow the below steps to route 10.10.10.x traffic from Sophos Connect.

    ==> Login to SSH > 4. Device Console

    => Check route precedence.

    console> system route_precedence show
    Routing Precedence:
    1. Policy routes
    2. Static routes
    3. VPN routes
    console>

    => Change VPN routes precedence on top of Static routes.

    console> system route_precedence set policyroute vpn static
    console> system route_precedence show
    Routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes
    console>

    => Add an IPsec route for 10.10.10.x network to route the traffic from ipsec0

    console> system ipsec_route add net 10.10.10.0/255.255.255.0 tunnelname <Sophos_Connect_connection_name>
    console> system ipsec_route show

  • thank you Yash Kothari this is solved the problem.