This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sending Remote access traffic through Site-to-site VPN, with 1:n nat translation on XGS

Hello Sophos community,

I am trying to set up a szenario where I have to send IPsec Remote access traffic through a Site-to-Site IPsec VPN with 1:n NAT translation on a XGS Firewall.

It seems to work on UTM:   Sending Remote access traffic through Site-to-site VPN, with 1:1 nat translation 

It did work on Cisco ASA, that I retired and that I have replaced with the XGS.

Setup:

Remote User -(IPsec Remote Access VPN)-> Sophos XGS  -(IPSEC Site-to-site VPN)-> Partner servers

We have a requirement for remote users (Sophos Connect Client) to access partners servers. Our IPsec Remote Access VPN is on a VPN subnet (192.168.99.0/24), internal LAN is 192.168.1.0/24

Our partner has the requirement that traffic is sent from the 1.2.3.4 IP (1:n NAT) to his networks.

The site-to-site VPN (Tunnel: To_Partner) is established and working, showing up at both ends. Local network on my end is set to be 1.2.3.4 - no NAT in Site-to-Site VPN active.

I have set up "system ipsec_route add net 10.1.1.0/255.255.255.0 tunnelname To_Partner"

Found this command mentioned here: support.sophos.com/.../KB-000037043

I have created a NAT rule (Name: NAT-Partner) to change traffic from internal LAN 192.168.1.0 as well as RA VPN LAN 192.168.99.0/24 , going to partner network 10.1.1.0, to map the source as 1.2.3.4

 
Firewall rules have been set up for both the S2S VPN, and internal LAN as well as RA VPN LAN

.
I have added the Partner network to the local networks section in the IPsec Remote Access VPN setup. 

Problem: I can ping as well as access partner network servers' ressources from internal LAN 192.168.1.0

I can ping from RA VPN LAN. I am, however, unable to access partner server's remote ressources. 

When trying to access a partner servers ressources from the RA VPN LAN, the counter on the NAT rule "NAT-Partner" increases. Sophos packet tracers says: Invalid traffic

I tried an "any"-"any" firewall rule. No success so far.

Do I have to put the Cisco ASA5510 back in place? I am a bit lost.

Cheers,

XGS admin



This thread was automatically locked due to age.
Parents
  • Can you show us a network plan with the nats and everything in place (Local / Remote subnet etc).

    BTW: Why are you not using route based VPN? Is this not offered by the peer? Likely you have to ask and they give you the option to move to route based VPN. 

    __________________________________________________________________________________________________________________

  • Our partner is not willing to change anithing on the IPsec tunnel. This woukd need an RfC with IT security and a lot of other guys involved. The partner is a big company.

    So no. We will have to get it running with the XGS136 that has replaced the ASA5510

    This is what the network looks like

  • Likely such big partners are more interested in using Route based VPN due the fact of advantages in management of such tunnels. 

    So you need to MASQ tyour traffic to this 1.2.3.4, which is not included in the SA? Correct? This is not possible, strongswan will drop the traffic due the fact, the SPI is not matching (Remote / local subnet = SPI). 

    If the 1.2.3.4 is included in the Tunnel (remote / local subnet) you can use MASQ for this goal. 

    __________________________________________________________________________________________________________________

  • So I will simply have to add the IP 1.2.3.4 the existing IPsec remote access configuration, right? Will the existing NAT rule do the trick? Or do i need another NAT rule for the IPsec RA tunnel's traffic to rewrite the source using MASQ? Please clarify. Thank you.

Reply
  • So I will simply have to add the IP 1.2.3.4 the existing IPsec remote access configuration, right? Will the existing NAT rule do the trick? Or do i need another NAT rule for the IPsec RA tunnel's traffic to rewrite the source using MASQ? Please clarify. Thank you.

Children
  • So you can use a normal NAT Rule to do this SNAT. But the MASQ object has to  be created (MASQ as the translated source does not work - There is no Interface in this sense). So create a NAT Rule, add Translated Source and create the 1.2.3.4 as an IP Host object. Add it to the rule and select the other filter (original source and original destination). 

    In case of your issue, if the same NAT rule works for the one network, but not for the other, it could be likely a application issue. Because check the packet capture. If the packet capture looks the same, it is likely a app issue, not a firewall / vpn issue. 

    __________________________________________________________________________________________________________________

  • OK, I got that. I do, however, not think that this is an app issue. There is a simple plain HTTPS site to check connectivity. This should work.

    I have now added 1.2.3.4 to the Remote Access VPN -> IPsec -> Permitted network resources (IPv4) and updated my Sophos connect profile. I got assigned 192.168.99.10 from the XGS.

    Still no change. Ping to 10.1.1.10 is possible. HTTPS to 10.1.1.10 not.

    (Please note, that for security reasons I have altered the real partner IPs as well as the NAT-IP to the IPs that I have used the descibe my setup earlier)

  • Looks like the Firewall Rule does not apply. You should revisit the Firewall Rule 11. 

    __________________________________________________________________________________________________________________

  • No matter, what I try. XGS says traffic is invalid.

    Tried creating an "ANY" "ANY" rule on top. No luck.

    Tired creating a firewall rule that excactly matches to with traffic - no chance.

    With "ANY" - "ANY" in place or the rule that matches - Rule 0 (DROP) is applied now. Why????

    I do not understand XGS's logic. Sorry. I can manage UTM. I can manage ASA. But XGS - I have no clue.

    Any hints? From my point of view, with a "ANY" "ANY" firewall rule it should work, as long as the NAT rule works?

    This is, what it looks like from a host in my internal LAN (192.168.1.0/24)

    Please note, that the XGS is natting my original source (192.168.1.2)

    Now, here, with the same firewall rule #12, that also includes my IPsec RA adress range (192.168.99.0) the trafic is neither NATed nor allowed:

    Cature shows my original Source IP. NAT is rule in place. Why?

    It looks to me, like the NAT rule does not apply to traffic, that comes in via IPsec RA.

  • In this screenshot the 4th packet seems fine to me? 

    Its a forwarded connection, but does not get any reply? 

    __________________________________________________________________________________________________________________

  • Yes, this screenshot is fine. This is from my INTERNAL Lan. There is a filter applied, that's why you only see one side.

    Problem still exists on my client, that is connected via RA IPsec and wants to access server in partner's network. The traffic is NOT NATed.

  • I somehow managed it to re-create the firewall and NAT-rule. No more invalid traffic, traffic is now passed.

    However - no NAT. Please compare the following screenshot to  the one from from internal LAN (Source NATed as 1.2.3.4)

    Is the XGS capable of NATing incoming IPsec RA Traffic???? 

  • Firewall and NAT has to be applied.

    Just to be sure, what are your filters? Because you are only seeing the incoming packets. Could be, NAT / Firewall are not applied. 

    BTW: If ICMP works but a protocol not, this could be an indicator for MTU size issues. 

    And about your point above: 

    You see Ipsec0 in and out. Which does not make sense, if this is the internal LAN traffic. internal LAN should be incoming Interfaces, not Ipsec0. 

    I assume you are filtering wrong in that sense.

    You have to read the tcpdump from bottom to top. 

    You could try sslvpn, if there is the same issue or not. 

    But i assume your filters are wrong and therefore we are not seeing what is happening. 

    __________________________________________________________________________________________________________________

  • Hello. Did a lot of testing and investigation.

    Seems to be a problem with policy based IPsec in general.

    - Tunneling the given 1:n NATed Site to Site via a route based to another Sophos works fine

    - SSL VPN remote access also works

    Policy base Site to Site and Remote Access does not work:

    Sophos XGS sends packets out to the tunnel. Sophos XGS does, however, not know what to do with the return packages. They are logged as INVALID TRAFFIC. Cannot get it working.

    No problem for me. I do have a working solution now.

    Thank you - (Danke für alles)