I am facing a problem when i try to tunnel only the traffic to my internal network and other traffic like the internet forwarded to user's remote gateway, in the IPsec remote access section i disabled "make the firewall the default gateway" and entered only the networks that i want to tunnel through the vpn tunnel but its not working.when i connect using sophos connect GUI i can't have access to anything neither the internet nor the remote networks behind the firewall.
Ofcourse i created a firewall rule to allow traffic from the IPSEC IP RANGE and VPN zone to access the desired network with a linked NAT with MASQ as the source.
THANKS for the HELP GUYS!!
Hi Youcef Rahmouni,
Thank you for reaching out to Sophos Community.
Please ensure that you've imported .scx file to the Sophos Connect client from IPsec remote access connection.
Can you please check the tracert output to any internal resource?
If you're checking ICMP connectivity to the internal resource, then please check the packet capture(DIagnostics > Packet capture) on XG.
Use BPF string: host <Sophos connect client IP> and proto ICMP
eg. host 10.10.10.10 and proto ICMP
If you're able to see the packets then you may try to link a NAT rule to VPN to LAN firewall rule with default MASQ as SNAT.
it still the same problem i only routed 192.168.1.0/24 through the vpn tunnel.i am using the .scx file.
when i connect i get traffic to internet except for that specific route that passess through the IPSEC TUNNEL.
I have configured a firewall rule to allow traffic from my IPSEC VPN RANGE to 192.168.1.0/24 and linked a NAT rule with MASQ as SNAT.
THANK YOU FOR YOUR HELP.
Can you please check the routing table on the end machine after connecting the Sophos Connect client?
Run the below command in cmd and confirm whether the route for 192.168.1.0/24 network is present under 'IPv4 Route Table' or not.
Also, please ensure that the home network isn’t same as XG local network 192.168.1.0/24
I checked the routing table and here is the result :
note that my local network is 192.168.43.0/24 with the gateway 192.168.43.1 and the remote newtwork behind the firewall is 192.168.14.0/24. the tracert to that network is not showing any HOPs ip addresses.
Thanks in advance.
Route table looks good.
Your machine has assigned with 10.10.10.1 IP address by Sophos COnnect client.
Request to please follow the below steps and share your observation:
Assuming 192.168.14.3 IP is live and is reachable(ICMP) from the XG firewall.
==> Go to Diagnostics > Packet capture and put BPF string as below.
BPF string: host 192.168.14.3 and proto ICMP
=> In SSH session, run below command to capture drop packets.
console> drop-packet-capture 'host 192.168.14.3 and proto ICMP
==> Connect Sophos connect client from end user machine and ping 192.168.14.3 with below command.
C:\Users\Admin>ping -n 1 192.168.14.3
==> Check the packet capture and share a snapshot of it.
I'd also request you to once verify in other client machine.
Could you also please post a snapshot of the firewall rule configuration?
For the BPF string the output is as follows:
in the ssh session nothing is displayed while pinging from the remote device :
th ping result :
I verified in another machine and it still the same problem :
the firewall rules are as follows :
IPSec range is : 10.10.10.1 --> 10.10.10.100
and destination VLAN is : 192.168.14.0/24
NAT rule id 16 is as follows :
and here is a firewall log :
the firewall rule 13 is the one show above.
THANK YOU FOR YOUR HELP.
As per the packet capture, the reply packet is being forwarded over PortC interface instead of ipsec0.
Do you have any static route or SD-WAN policy configured?
Can you please perform a 'Route lookup' from Diagnostics > Tools for 10.10.10.x network after connecting Sophos Connect client?
Also, please share output of the below command from CLI.
Login to SSH > 5. Device Management > 3. Advanced Shell
# ip route list
I don't have any SD-WAN configured
I have a default route through my public ip address configured on PORTC
the 'Route lookup' from Diagnostics > Tools for 10.10.10.x showed me 10.10.10.1 is on PORTC (default route) and it is behind a router.
but when i do this from my other xg firewall that have tunnel all option for ipsec enabled it show my that my ipsec range is on interface ipsec0.
#iproute list showed me :
the blacked ip address are my public ip address.
XG doesn't require a default route. It automatically routes unknown network traffic from the WAN interface.
You may delete a default route or can follow the below steps to route 10.10.10.x traffic from Sophos Connect.
==> Login to SSH > 4. Device Console
=> Check route precedence.
console> system route_precedence showRouting Precedence:1. Policy routes2. Static routes3. VPN routesconsole>
=> Change VPN routes precedence on top of Static routes.
console> system route_precedence set policyroute vpn staticconsole> system route_precedence showRouting Precedence:1. Policy routes2. VPN routes3. Static routesconsole>
=> Add an IPsec route for 10.10.10.x network to route the traffic from ipsec0
console> system ipsec_route add net 10.10.10.0/255.255.255.0 tunnelname <Sophos_Connect_connection_name>console> system ipsec_route show
thank you Yash Kothari this is solved the problem.