Hi,
I have created a site-to-site IPSec VPN between my XG and Azure.
The tunnel is up, confirmed both sides and I can connect from Azure to local, but not the other way around.
I followed this article to the letter: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-connection.
I have multiple VLANs configured on my XG. I haven't done anything specific for those - not that I know if I need to. The firewall rule encompasses all the VLANs.
When testing connectivity from local to Azure, I can see the rule is allowed.
I have a gaping hole in my Azure NSG (ANY-ANY), both inbound and outbound.
The Azure endpoint is Ubuntu 20.04 LTS and as far as I know, all firewalls are off:
user@vm01:~$ sudo ufw status verbose Status: inactive
Here is the main VPN config page:
I'm not particularly familiar with Ubuntu, so it may be something on the endpoint, however, I'd like to rule out XG's VPN config.
I read the note about the XG version and I am currently running on SFOS 18.0.4 MR-4. Can't upgrade just yet.
If anyone can think of anything I should try, please shout.
T.I.A
Hi woter324: Thank you for reaching out to the Sophos community team. The configuration KBA which you used for a tunnel with AWS is RBVPN (Route-based VPN OR tunnel Interface based VPN tunnel) type tunnel…
It looks like I need to create some routes from the console, following this guide: https://support.sophos.com/support/s/article/KB-000035839?language=en_US.
I'm trying to run the command
console> system ipsec_route add net 172.16.10.0/255.255.255.0 tunnelname nlgz03ashare0101
Where 172.16.10.0/24 is the Azure VNet's address space (not subnet) and nlgz03ashare0101 is the name of the IPSec connection, however, the command does not like the tunnelname given. According to the linked documentation tab + tab should populate the tunnelname.
The error is:
% Error: Unknown Parameter 'nlgz03ashare0101'
Where does the tunnel name come from?
Thanks in advance.
Hi woter324: Thank you for reaching out to the Sophos community team. The configuration KBA which you used for a tunnel with AWS is RBVPN (Route-based VPN OR tunnel Interface based VPN tunnel) type tunnel and in the last comment the KBA or command to add the IPsec manual route, you are using is generally used with PBVPN (Policy-based IPsec tunnels).So with RBVPN to forward traffic over VPN for remote end destination either static route over xfrm Interface should help or SD-WAN rule will help.This section will help to get more info on same:https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNCreateRouteBasedVPN/index.html#add-firewall-rules-hoReference Video Link: RBVPN https://www.youtube.com/watch?v=o4NB1nHBOsESD-WAN : https://www.youtube.com/watch?v=TolZsFNbBuM
Regards,Vishal RanpariyaTechnical Account Manager | Sophos Technical SupportSophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link.
Hi Marccel Haus: Thanks for the update, glad to know the steps helped you.