Azure site-to-site VPN route-based tunnel connectivity issues

Question

Hi, 
 I have created a site-to-site IPSec VPN between my XG and Azure. 
 The tunnel is up, confirmed both sides and I can connect from Azure to local, but not the other way around. 
 
 I followed this article to the letter: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-connection . 
 
 I have multiple VLANs configured on my XG. I haven't done anything specific for those - not that I know if I need to. The firewall rule encompasses all the VLANs. 
 
 When testing connectivity from local to Azure, I can see the rule is allowed. 
 I have a gaping hole in my Azure NSG (ANY-ANY), both inbound and outbound. 
 The Azure endpoint is Ubuntu 20.04 LTS and as far as I know, all firewalls are off: 
 user@vm01:~$ sudo ufw status verbose
Status: inactive

Here is the main VPN config page: 
 
 I'm not particularly familiar with Ubuntu, so it may be something on the endpoint, however, I'd like to rule out XG's VPN config. 
 I read the note about the XG version and I am currently running on SFOS 18.0.4 MR-4. Can't upgrade just yet. 
 If anyone can think of anything I should try, please shout. 
 T.I.A

woter324 · Accepted Answer

About six months ago, I couldn't ping from local to remote after setting up a route-based, IPSEC VPN (Tunnel Interface). At the time I gave up and set up Windows as a router to get around the problem. I've since had to revisit and solve the problem properly. 
 It appears that this is quite a common issue, so, although my original post has been locked , I'm creating a new one with the solution. 
 
 DominicRemigio provided a step-by-step guide here for setting up a VPN between XG and Azure. 
 In the end, it was down to badly configured NAT'ing. During a prior upgrade, Sophos changed the way NAT'ing behaved and the upgrade process automatically created a bunch of NAT rules. Things seemed to work, so I left them as they were. (I'm not blaming Sophos. It was my fault). 
 What fixed the local > Azure ping issue was explicitly setting the Outbound Interface to my public interface. It was set to Any. 
 Steps: 
 
 Rules and policies. 
 NAT rules. 
 Select rule corresponding to VLAN that cannot ping. 
 Interface matching criteria > Outbound interface > <external facing port>. 
 Disable and reenable the VPN connection.

Port C is my external interface and the local PC that couldn't ping the remote endpoint is on VLAN50. 
 I got some sporadic behaviour until I figured out any NAT rule changes had to be followed by reinitialising the connection. 
 
 Anyway, I hope the above may help others. In all fairness, it was a reply to a thread on this community that pointed me in the direction of NAT. (Sorry, Cannot find the post now.).

Vishal_R · Answer

Hi woter324 : Thank you for reaching out to the Sophos community team. The configuration KBA which you used for a tunnel with AWS is RBVPN (Route-based VPN OR tunnel Interface based VPN tunnel) type tunnel and in the last comment the KBA or command to add the IPsec manual route, you are using is generally used with PBVPN (Policy-based IPsec tunnels). So with RBVPN to forward traffic over VPN for remote end destination either static route over xfrm Interface should help or SD-WAN rule will help. This section will help to get more info on same: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNCreateRouteBasedVPN/index.html#add-firewall-rules-ho Reference Video Link: RBVPN https://www.youtube.com/watch?v=o4NB1nHBOsE SD-WAN : https://www.youtube.com/watch?v=TolZsFNbBuM

Azure site-to-site VPN route-based tunnel connectivity issues

Top Replies