Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 33 replies
  • Subscribers 40 subscribers
  • Views 5296 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Traffic gets routed in full-tunnel IPsec VPN

Tobias Kuhnert

hi there,

since we upgraded our XG to 18.0.4 we have an issue with the traffic (e.g. DNS / icmp) originated from the firewall itself.

We have a full-tunnel IPsec VPN configured for all client subnets to our data center and it seems that routing for the firewall itself is broken now.

SG230_WP02_SFOS 18.0.4 MR-4# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

------------

SG230_WP02_SFOS 18.0.4 MR-4# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 x.x.x.x (IP of Remote VPN-Gateway) 11.644 ms * *
2 * * *
3 * x.x.x.x (IP of Remote VPN-Gateway) 11.576 ms 37.854 ms

------------

SG230_WP02_SFOS 18.0.4 MR-4# nslookup www.google.de
;; connection timed out; no servers could be reached

------------

I know there is a KB article (Sophos XG Firewall: How to Route Sophos Firewall Initiated Traffic Through an IPSec VPN tunnel), but my issue is the exact opposit.
i do not have any rules like described configured.
------------

edit: Output of route lookup:

Route lookup Result
8.8.8.8 is located on the ipsec0
8.8.8.8 is not behind a router.

------------

Anybody had similar issues or any idea how to solve this?

Thanks



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to FormerMember

    i can't share any more screenshot with sensitive data. please see text below:

    i have configured the following networks in the VPN connection. This is the only VPN connection configured on the device.
    remote subnet: any
    local subnet: 10.64.0.0/21

    no additional/manual routes have been added to the system.

    packet capture (10.64.0.1 is the IP of the firewall):

    SG230_WP02_SFOS 18.0.4 MR-4# ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    ^C
    --- 8.8.8.8 ping statistics ---
    7 packets transmitted, 0 packets received, 100% packet loss

    as already mentioned route lookup from diagnostics page:

Children
  • 0 in reply to Tobias Kuhnert

    The problem is, SFOS is exactly doing what you tell the system to do. Your Traffic matches the IPsec route: 10.64.0.1 to ANY. Therefore it gets routed to the tunnel. 

    You would have to create a new SNAT Rule, MASQ and use another IP, which does not match the IPsec route, this could resolve this issue. 

    Check the System for IPsec NAT Rules. https://support.sophos.com/support/s/article/KB-000035848?language=en_US

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    you can narrow it down from the CLI also:

    Checked this on a small XG with probably similar configuration as yours:

    XG106_XN01_SFOS 18.0.4 MR-4# ip route get 8.8.8.8
    8.8.8.8 via 10.1.254.2 dev Port2 table gw1 src 10.1.254.1 uid 0
        cache

    So WAN in on Port 2 and Gw ist 10.1.254.2  -> look uid0

    XG106_XN01_SFOS 18.0.4 MR-4# ip rule list
    0:      from all lookup local            <- uid0
    51:     from all fwmark 0x4001 lookup gw1
    52:     from all fwmark 0x200 lookup routeipsec0
    53:     from all lookup main
    150:    from all fwmark 0x8001 lookup gw1
    151:    from 10.1.254.1 lookup wanlink1
    220:    from all iif lo lookup 220
    221:    from all lookup multilink
    32766:  from all lookup main
    32767:  from all lookup default


    XG106_XN01_SFOS 18.0.4 MR-4# ip route show table 0
    default via 10.1.254.2 dev Port2 table wanlink1 proto static src 10.1.254.1
    prohibit default table wanlink1 proto static metric 1
    default via 10.1.254.2 dev Port2 table gw1 proto static
    prohibit default table gw1 proto static metric 1
    default dev ipsec0 table routeipsec0 scope link
    default via 10.1.254.2 dev Port2 table multilink proto static

    So yes, probably there is a MASQ rule and SNAT missing.

    Fw Rule:

    NAT rule 4:

  • 0 in reply to LuCar Toni

    The problem is:

    With SFOS 17.5.x everything worked. - since 18.0.x the problem exists as described.

    i want the firewall initiated traffic to get sent out to the default gateway (not in the tunnel) as it worked before. With the current behavior i cannot use the firewall as DNS server, because it is trying to resolve everything trough the tunnel and the firewall on the other side does not allow this communication. I cannot change this!

    Not sure how your KB article will help here.

  • 0 in reply to Tobias Kuhnert

    and with this version change the NAT binding has changed. So you need to review your settings in NAT.

    we were lucky - our migrated NAT rules worked after migration

  • 0 in reply to LHerzog

    i get your point, but why would i need to configure NAT rules for firewall initiated traffic.

    we had those "sys-traffic-nat" CLI commands for that earlier - are they obsolet now?

    regarding the packet capture - why is the firewall even initiating the traffic from the LAN interface when the shortest way would be to iniate from the WAN interface.

    btw:

    of course i do have a default NAT rule:

  • 0 in reply to LHerzog

    I did run the same ip commands as you. they look different:

    SG230_WP02_SFOS 18.0.4 MR-4# ip route get 8.8.8.8
    8.8.8.8 dev ipsec0 table 220 src 10.64.0.1 uid 0
    cache


    SG230_WP02_SFOS 18.0.4 MR-4# ip rule list
    0: from all lookup local
    50: from all lookup main
    51: from all fwmark 0x4001 lookup gw1
    52: from all fwmark 0x200 lookup routeipsec0
    150: from all fwmark 0x8001 lookup gw1
    151: from 172.16.64.148 lookup wanlink1
    220: from all iif lo lookup 220
    221: from all lookup multilink
    32766: from all lookup main
    32767: from all lookup default


    SG230_WP02_SFOS 18.0.4 MR-4# ip route show table 0
    default via 172.16.64.145 dev PortE1 table wanlink1 proto static src 172.16.64.148
    prohibit default table wanlink1 proto static metric 1
    default via 172.16.64.145 dev PortE1 table gw1 proto static
    prohibit default table gw1 proto static metric 1
    default dev ipsec0 table routeipsec0 scope link
    default via 172.16.64.145 dev PortE1 table multilink proto static
    default dev ipsec0 table 220 scope link src 10.64.0.1 <-maybe this is the issue?

  • 0 in reply to Tobias Kuhnert

    So you have a NAT route. Thats good.

    what does  

    ip route show table wanlink1

    show you?

    And what happens, if you edit and re-safe the config of PortE1 without change? Be aware of a VPN reconnect.

  • 0 in reply to LHerzog

    "default dev ipsec0 table 220 scope link src 10.64.0.1 <-maybe this is the issue?"

    that is the cause of your issue

    Edit: but this is only for table 220 - the IPSec Networks (ip route show table 220 (don't post the result))

  • 0 in reply to LHerzog

    SG230_WP02_SFOS 18.0.4 MR-4# ip route show table wanlink1
    default via 172.16.64.145 dev PortE1 proto static src 172.16.64.148
    prohibit default proto static metric 1

    re-saving the interface configuration had no effect. traffic is still routed into the tunnel.

  • 0 in reply to LHerzog

    i think there is nothing sensitive in it:
    SG230_WP02_SFOS 18.0.4 MR-4# ip route show table 220
    default dev ipsec0 scope link src 10.64.0.1

    any thoughts what to check or try next?

Unfiltered HTML