Configured Site to Site VPNs on the XG.
The Tunnel is green on both sites and I let the tunnels create the automatic firewall rules, but I am unable to ping across them.
I am missing the routes needed?
I have multiple networks on both sides, but decided for routing purposes to lump it all into one network.
Not seeing anything in the logs - are there logs to check?
As per the previous packet capture snapshot, traffic coming from 172.16.1.120 machine(head office) is getting forwarded via firewall rule ID 12 to internal machine 172.19.1.1 but there is no response…
Hi Ben Sanderson,
Thank you for reaching out to Sophos Community.
Ben Sanderson said:I have multiple networks on both sides, but decided for routing purposes to lump it all into one network.
Can you please share more information on this?
It seems to be an issue with configured child SAs(subnets).
It would be great if you share configuration snapshots as well.
Attached are screenshots from both the firewalls, the top will be the head office followed by the remote office.
Even though there are multiple /24 networks at both locations, to make routing easier I wanted to summarize the networks.
Firewall Head Office networks...
Summarize to 172.20.0.0/16
Remote Office networks...
Summarize to 172.21.0.0/16
Those networks are shown in the screenshots, the tunnels are green and up on the Firewalls.
Thanks for the help.
Check the packet flow by following the steps below.
==> Go to Diagnostics > Packet capture
==> Enter BPF string: host <Remote network IP> and proto ICMP
eg: host 172.21.5.155 and proto ICMP
==> Start the capture and initiate a ping from any of the end machine located in firewall Head Office network(172.20.5.0/24, 172.20.6.0/24 or 172.20.7.0/24).
>ping -n 2 172.21.5.155
Share capture snapshot here or in PM.
Is there any SD-WAN policy configured under Configure > Routing > SD-WAN policy routing?
Attached is the packet capture, so there is traffic coming from the Head Office, but either it is not reaching the target or the device does not know how to route the packet back.
I am able to ping the device from the Remote Firewall with no issues so it is reachable, but unable to ping the remote device from the Head Office.
I have not set any SD-WAN policies.
Thank you for the screenshots.
It seems the firewall forwards the ping request, but there's no reply. Is ping allowed on the destination host and the VPN zone on both firewalls?
I'd also suggest you add a VPN and LAN zones in the firewall rules instead of adding "Any."
Harsh and Yash,
It is working now, but again not sure I like how it is done, I have applied a NAT rule on the remote side. Once this was applied I am able to ping across.
Please confirm if this is best practice.
As per the previous packet capture snapshot, traffic coming from 172.16.1.120 machine(head office) is getting forwarded via firewall rule ID 12 to internal machine 172.19.1.1 but there is no response to the ICMP request.
There could be 2 possibilities:
After applying the SNAT policy, the source address in the ICMP request will be translated to the outgoing interface IP address(Port5.9).
Check the packet flow again to get better clarification.
After the SNAT change, able to ping the remote devices from local devices. Again not sure if it is best practice to use SNAT for Site to Site.
But, I am unable to ping the remote devices from the local Sophos SSL VPN Connection. I see the packets leaving the firewall but do not see them on the remote firewall.
These captures are from the Local Firewall that has the SSL VPN connection trying to ping something on the remote site-to-site network.
It seems the traffic is being NATed with your public IP address.
In VPN to VPN firewall rule, apply SNAT as your LAN interface IP address. Refer to the article below for more information on "Allow Remote Access SSL VPN Traffic Over an Existing IPsec Tunnel"