Hello - I was just on the phone with a Sophos tech troubleshooting our site to site IPSec tunnel from a remote site to the main site. Its been working fine for years, up until the last week or so, where some traffic seems to go in the tunnel but never comes out the other side. And sometimes the tunnel doesn't seem to be up at all (pings fail) yet the consoles for the VPN all show green like its connected. Its continues to go up / down like this.
The tech said my rules to allow the VPN traffic are missing linked NAT MASQ rules. At the time, the tunnel had started working again, and when these new NAT rules were added it continued to work. When they were disabled it continued to work.
The issue hasn't been predictable, and at this point I am just waiting for it to stop passing traffic again. Firewalls are a XG115 running 19.0.1 and XG550 running 18.5.3. From the remote site, ping logs to 8.8.8.8 are steady, while ping logs to something on the other side of the tunnel have large request timeout gaps, so its not like the internet connection at the remote site is going down.
I'm confused about the need for these NAT rules. The article here https://support.sophos.com/support/s/article/KB-000035717?language=en_US doesn't mention NAT, or at least not that I saw. And we don't have overlapping subnets between the 2 sites. I would think that if we needed the NAT and it wasn't there that traffic wouldn't flow properly all the time not some of the time.
Is the NAT really necessary? Any ideas for why the tunnel stops passing traffic but shows as green still in the consoles?
Thanks!
This thread was automatically locked due to age.
