Site to Site VPN Routing

Configured Site to Site VPNs on the XG.

The Tunnel is green on both sites and I let the tunnels create the automatic firewall rules, but I am unable to ping across them.

I am missing the routes needed?

I have multiple networks on both sides, but decided for routing purposes to lump it all into one network.

Example:

Local:

172.18.0.0/16 

Remote

172.19.0.0/16

Not seeing anything in the logs - are there logs to check?

Thanks



Edited TAGs
[edited by: emmosophos at 10:33 PM (GMT -7) on 15 Jul 2021]
  • Hi ,

    Thank you for reaching out to Sophos Community.

    I have multiple networks on both sides, but decided for routing purposes to lump it all into one network.

    Can you please share more information on this?

    It seems to be an issue with configured child SAs(subnets).

    It would be great if you share configuration snapshots as well.

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Yash,

    Attached are screenshots from both the firewalls, the top will be the head office followed by the remote office.

    Even though there are multiple /24 networks at both locations, to make routing easier I wanted to summarize the networks.

    Firewall Head Office networks...

    172.20.5.0/24

    172.20.6.0/24

    172.20.7.0/24

    Summarize to 172.20.0.0/16

    Remote Office networks...

    172.21.5.0/24

    172.21.6.0/24

    172.21.7.//24

    Summarize to 172.21.0.0/16

    Those networks are shown in the screenshots, the tunnels are green and up on the Firewalls.

    Thanks for the help.

    =

  • Check the packet flow by following the steps below.

    ==> Go to Diagnostics > Packet capture

    ==> Enter BPF string: host <Remote network IP> and proto ICMP

    eg: host 172.21.5.155 and proto ICMP

    ==> Start the capture and initiate a ping from any of the end machine located in firewall Head Office network(172.20.5.0/24, 172.20.6.0/24 or 172.20.7.0/24).

    >ping -n 2 172.21.5.155

    Share capture snapshot here or in PM.

    Is there any SD-WAN policy configured under Configure > Routing > SD-WAN policy routing?

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Yash,

    Attached is the packet capture, so there is traffic coming from the Head Office, but either it is not reaching the target or the device does not know how to route the packet back. 

    I am able to ping the device from the Remote Firewall with no issues so it is reachable, but unable to ping the remote device from the Head Office.

    I have not set any SD-WAN policies.

    Thanks, Ben

  • FormerMember
    0 FormerMember 2 months ago in reply to Ben Sanderson

    Hi ,

    Thank you for the screenshots. 

    It seems the firewall forwards the ping request, but there's no reply. Is ping allowed on the destination host and the VPN zone on both firewalls? 

    I'd also suggest you add a VPN and LAN zones in the firewall rules instead of adding "Any." 

    Thanks,

  • Harsh and Yash,

    It is working now, but again not sure I like how it is done, I have applied a NAT rule on the remote side. Once this was applied I am able to ping across.

    Please confirm if this is best practice.

    Thanks,

    Ben

  • As per the previous packet capture snapshot, traffic coming from 172.16.1.120 machine(head office) is getting forwarded via firewall rule ID 12 to internal machine 172.19.1.1 but there is no response to the ICMP request.

    There could be 2 possibilities:

    • 172.19.1.1 is not replying to ICMP requests coming from 172.16.1.120 source address.
    • 172.19.1.1 is replying to ICMP requests but the reply packet isn’t reaching the Sophos Firewall. If you have an L3 device connected in between Sophos Firewall and end machine then I'd suggest adding a reverse route for the reply packet.

    After applying the SNAT policy, the source address in the ICMP request will be translated to the outgoing interface IP address(Port5.9).

    Check the packet flow again to get better clarification.

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Yash,

    After the SNAT change, able to ping the remote devices from local devices. Again not sure if it is best practice to use SNAT for Site to Site.

    But, I am unable to ping the remote devices from the local Sophos SSL VPN Connection. I see the packets leaving the firewall but do not see them on the remote firewall. 

    These captures are from the Local Firewall that has the SSL VPN connection trying to ping something on the remote site-to-site network.

  • It seems the traffic is being NATed with your public IP address.

    In VPN to VPN firewall rule, apply SNAT as your LAN interface IP address. Refer to the article below for more information on "Allow Remote Access SSL VPN Traffic Over an Existing IPsec Tunnel"

    support.sophos.com/.../KB-000037043

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.