Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 37 subscribers
  • Views 3429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPsec Sophos XG - FritzBox 7590

AlexMax

Hi folks,

thanks to this post community.sophos.com/.../vpn---site-to-site-sophos-xg-v18x---fritzbox-v7-2x I was able to successfully establish a connection between my Sophos XG (software) SFOS 18.5.1 MR-1-Build326 and FritzBox 7590 OS 7.28


the vpn is active but I can't in any way reach the networks on both sides. I obviously created the appropriate rules on Sophos

SFVH_SO01_SFOS 18.5.1 MR-1-Build326# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
x.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
10.81.234.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0   (manually addedd)
192.168.124.0 0.0.0.0 255.255.255.0 U 0 0 0 Port1

SFVH_SO01_SFOS 18.5.1 MR-1-Build326# ifconfig ipsec0
ipsec0 Link encap:Ethernet HWaddr 62:CA:75:EC:63:B6
inet addr:169.254.234.5 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::60ca:75ff:feec:63b6/64 Scope:Link
UP BROADCAST RUNNING NOARP MULTICAST MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

on the Fritzbox

enabled = yes;
editable = yes;
conn_type = conntype_out;
name = "xxxxx";
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = no;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = PublicIP;
remote_virtualip = 0.0.0.0;
keepalive_ip = 0.0.0.0;
localid {
fqdn = "PublicDNS";
}
remoteid {
ipaddr = PublicIP;
}
mode = phase1_mode_aggressive;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "xxxxx";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = yes;
phase2localid {
ipnet {
ipaddr = 192.168.123.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.124.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any 192.168.124.0 255.255.255.0";
} ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

I tried to follow this guide too but with no luck https://support.sophos.com/support/s/article/KB-000035835?language=en_US

community.sophos.com/.../ipsec-site-to-site-vpn-connects-but-no-traffic-passes

some idea?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Alex,

    Thank you for contacting the Sophos Community.

    I would recommend you to do a GUI Packet Capture to confirm where the packets are going, however, based on the Firewall Rules, I see traffic is moving back and forth.

    Did you obscure the Src IP because it was showing your Public IP?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    Yes the obscured IP is the public fritzbox IP (not static but with dynDNS service) of the other site.

    when I try to reach https from 192.168.124.200 to 192.168.123.253 match rule 11 automatically created by the ipsec connection

    but the problem appears to be invalid traffic, do you have any suggestions?

    thanks

    Alessandro

  • 0 in reply to AlexMax

    Hello Alex,

    I don't think your issue is with the Invalid Traffic, as that traffic isn’t destined to the tunnel.

    The traffic for the tunnel is flowing fine, I would check the other side as there is no reply from them.

    When doing the GUI Packet Capture only enter the following string host 192.168.123.253

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Packet information

    443:

    Ethernet header
    Source MAC address:34:c9:3d:XX:XX:XX (PC MAC address)
    Destination MAC address: 64:62:66:XX:XX:XX (Port1 LAN MAC address)
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:192.168.124.200
    Destination IP address:192.168.123.253
    Protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 52 Bytes
    Identification:12784
    Fragment offset:16384
    Time to live: 127
    Checksum: 20413

    TCP Header:
    Source port: 55984
    Destination port: 443
    Flags: SYN
    Sequence number: 1997974908
    Acknowledgement number: 0
    Window: 64240
    Checksum: 63753

    ICMP:

    Ethernet header
    Source MAC address:34:c9:3d:XX:XX:XX (PC MAC address)
    Destination MAC address: 64:62:66:XX:XX:XX (Port1 LAN MAC address)
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:192.168.124.200
    Destination IP address:192.168.123.253
    Protocol: ICMP
    Header:20 Bytes
    Type of service: 0
    Total length: 60 Bytes
    Identification:12783
    Fragment offset:0
    Time to live: 127
    Checksum: 36795

    ICMP Header:
    Type: 8
    Code: 0
    Echo ID: 1
    Echo sequence: 4
    Gateway: 0
    Fragmentation MTU: 0
    Checksum: 19799

  • 0 in reply to AlexMax

    Hello Alex,

    Thank you, it all seems correct on the XG side, it looks like we aren’t seeing replies from 192.168.123.253

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
  • 0 in reply to emmosophos

    Hello Emmanuel,

    if I put the Fritzbox public IP in the packet capture I see this

    in your opinion it could be a problem that the site where the fritzbox is installed does not have a static IP but a DynDNS service? yet the VPN is stable


    look at the second line, shouldn't it match vpn traffic rule (ID 11) ?

Unfiltered HTML