Advisory: Sophos Endpoint - "Your connection isn't private" We're aware of a certificate issue and are actively working to resolve. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Site to site no ping on one way

Hi,

I've depolyed a site-to-site SSL VPN between two XGS (HO Server and BO Client)

HO network is 192.168.3.0/24 and BO network is 192.168.2.0/24.
I'm able to ping from BO to HO but not the opposite.

Tha packet capture says IP_Spoof - Violation and the routes are the following.

I'm missing something and I would apreciate if someone could give me an advice.

Thankyou



This thread was automatically locked due to age.
  • Hello there,

    Thank you for contacting the Sophos Community.

    Can you share a screenshot of your DoS & Spoof protection (Protect > Intrusion Prevention > DoS & Spoof Protection)?

    And any reason you are using a SSL tunnel instead of an IPsec?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi,

    I'm using SSL VPN to be ready future implementation of ACLs for every single user.

  • Hi  : Based on the "route -n" output on XGS87w I can see 10.81.234.0 is reflecting twice via tun0 and tun21. This means XGS87w which is acting as in SSL VPN client (for SSL site to site) has reachability to the same network via 2 tunnel interfaces. Due to that probably in traffic and out traffic is marking via different tunnel interfaces and traffic is getting marked as in "IP_Spoof".

    This can only happen if both the XGS which are part of the SSL site-to-site tunnel has the same "Assign IPv4 addresses" network settings inside the SSL VPN settings.

    i.e. XGS87w has assigned an IP pool from network 10.81.234.0 via tun0.

    And while you make this XGs87w as in SSL VPN client by adding an SSL VPN Server file ( file of XGS107w) it has added the same network 10.81.234.0 route via tun21 as XGS107w has the same network 10.81.234.0 in SSL VPN Assigned IP pool settings.



    So changing the network to any one XGS end ( more preferable would be where no users are using Sophos SSL VPN remote access or fewer users using Sohps SSL VPN remote access) will avoid duplication in tun network settings and will fix the issue. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.