Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 2420 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec S2S NAT problem

Alie2n

Hi,

I have the following setup:

The ipsec policy between RGW and RZGW cannot be extended by the net 192.168.5.0/24 so I have to do a NAT (enabled in the vpn config screen).

The main goal that both nets (192.168.0.0/24 and 192.168.5.0/24) can access the remote host 172.16.10.100. 

My problem is that RGW tries to ping one of my servers (192.168.0.100). I see the packets coming in via ipsec0, but the outgoing packets leave RZGW on the WAN interface where they get natted. I already tried to establish a SNAT, but there I cannot select ipsec0 as incoming/outgoing interface.

Can anyone point me in the right direction on how to create a nat rule (or multiple manual nat rules) to enable ping from RGW to 192.168.0.100 while maintaining the accessability of 172.16.10.100 from both local networks?

Cheers and thanks,

Nicki



This thread was automatically locked due to age.
Parents
  • 0

    For further insights I ran a tcpdump on the console. Without further fiddling with nat rules I get this (Port2 is my WAN interface):

    13:43:06.397546 ipsec0, IN: IP 172.16.0.100 > 192.168.0.100: ICMP echo request, id 1966, seq 7, length 24
    13:43:06.397651 Port2, OUT: IP 99.99.99.100 > 192.168.0.100: ICMP echo request, id 1966, seq 7, length 24
    13:43:06.397654 oct0, OUT: IP 99.99.99.100 > 192.168.0.100: ICMP echo request, id 1966, seq 7, length 24

    For some reason the packet get handled by the default outbound nat rule.

    If I add a nat rule that prohibits natting for the 172.16.0.100 the tcpdump looks like this:

    13:43:06.397546 ipsec0, IN: IP 172.16.0.100 > 192.168.0.100: ICMP echo request, id 1966, seq 7, length 24
    13:43:06.397651 Port2, OUT: IP 172.16.0.100 > 192.168.0.100: ICMP echo request, id 1966, seq 7, length 24
    13:43:06.397654 oct0, OUT: IP 172.16.0.100 > 192.168.0.100: ICMP echo request, id 1966, seq 7, length 24

    I do not understand why the packet that comes in on ipsec0 should leave on my wan interface.

  • FormerMember
    0 FormerMember in reply to Alie2n

    Hi Alie2n,

    Thank you for reaching out to Sophos Community.

    Assuming the IPsec tunnel is configured with 172.16.0.0/16 and 192.168.0.0/24 child SAs.

    Can you please share a packet capture snapshot?

    Is there any static route or SD-WAN policy configured on Sophos Firewall?

  • 0 in reply to FormerMember

    Hi,

    thanks for reaching out.

    Sadly I cannot share a pcap file as per our internal policy I need to anonymize the ip adresses in use. 

    Regarding the child SAs you are right and we no static routes of sd-wan policies in place on any of our firewalls.

  • 0 in reply to Alie2n

    Check: docs.sophos.com/.../RoutingSetRoutePrecedence.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    thanks for the suggestion. As this is a fairly new install the routing precedence is already:

Reply Children
Unfiltered HTML