This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG210 reaching AD server over IPsec

Under Configure > Authentication, I’ve added an AD server that is reachable over an IPsec connection, however I have been unable to have a successful test.

Details:
The Sophos XG210 is at 10.2.30.1
The IPsec site-to-site connection name is IPSECAD
The AD server reachable over IPsec is 10.80.1.10

I’ve tried running the following commands in the CLI:

system ipsec_route add host 10.80.1.10 tunnelname IPSECAD
set advanced-firewall sys-traffic-nat add destination 10.80.1.10 snatip 10.2.30.1

After that, I disconnect/reconnect the IPsec tunnel, but the Sophos XG 210 still cannot reach the 10.80.1.10.

The IPsec tunnel does appear to be working properly, as from my computer, I can reach 10.80.1.10 without an issue.

What am I missing?

This thread was automatically locked due to age.

Top Replies

Tony Atkins over 2 years ago in reply to FormerMember +2 suggested

I found the problem - I changed the following command: set advanced-firewall sys-traffic-nat add destination 10.80.1.10 snatip 10.2.30.1 To: set advanced-firewall sys-traffic-nat add destination…

0 emmosophos over 2 years ago

Hello Tony,

Thank you for contacting the Sophos Community.

The AD server is behind another XG Device?

Try doing a packet capture using the GUI for port 389 to see if you see this traversing the tunnel, if so check on the side where the AD is located where the packets are ending.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tony Atkins over 2 years ago in reply to emmosophos

Thank you! I was able to see the traffic going to/from the AD server via "ipsec0". How can I tell that is the right IPsec connection, which should be "IPSECAD"?
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to Tony Atkins

ipsec0 is a virtual interface for all site-to-site tunnels, traffic will be routed through the respective tunnel based on VPN routes.

Can you please share a snapshot of the packet capture?
Cancel
Vote Up 0 Vote Down

Cancel
0 Tony Atkins over 2 years ago in reply to FormerMember

I found the problem - I changed the following command:

set advanced-firewall sys-traffic-nat add destination 10.80.1.10 snatip 10.2.30.1

To:

set advanced-firewall sys-traffic-nat add destination 10.80.1.10 snatip 10.2.32.30

And now it works perfectly.

10.2.32.30 is an unused IP. I guess it can't be the same as the LAN interface IP of the firewall...
Cancel
Vote Up +2 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to Tony Atkins

You can use any IP address from the subnet which is a part of IPsec child SA. That IP address will only be used to translate the source address of the packet going to a specific destination.
Cancel
Vote Up 0 Vote Down

Cancel
0 SEBBEC over 2 years ago in reply to FormerMember

The solution worked i can now check test the connection to the AD server over the IPSEC conenction but no one is listed in the current activities list. seemed that no one is authenticated.

do you know if we need to do something else.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to SEBBEC

Hi SEBBEC,

Users will have authenticate through one of the authentication methods of the Sophos Firewall.

Ensure that AD server is added in 'Authentication server list' under Authentication > Services.
Cancel
Vote Up 0 Vote Down

Cancel
0 SEBBEC over 2 years ago in reply to FormerMember

Hi Yash,

Yes i have the two authentication servers added under authentications services
Cancel
Vote Up 0 Vote Down

Cancel