Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 4041 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Site to site no ping on one way

redchat2435

Hi,

I've depolyed a site-to-site SSL VPN between two XGS (HO Server and BO Client)

HO network is 192.168.3.0/24 and BO network is 192.168.2.0/24.
I'm able to ping from BO to HO but not the opposite.

Tha packet capture says IP_Spoof - Violation and the routes are the following.

I'm missing something and I would apreciate if someone could give me an advice.

Thankyou



This thread was automatically locked due to age.
Parents
  • +1

    Hi  : Based on the "route -n" output on XGS87w I can see 10.81.234.0 is reflecting twice via tun0 and tun21. This means XGS87w which is acting as in SSL VPN client (for SSL site to site) has reachability to the same network via 2 tunnel interfaces. Due to that probably in traffic and out traffic is marking via different tunnel interfaces and traffic is getting marked as in "IP_Spoof".

    This can only happen if both the XGS which are part of the SSL site-to-site tunnel has the same "Assign IPv4 addresses" network settings inside the SSL VPN settings.

    i.e. XGS87w has assigned an IP pool from network 10.81.234.0 via tun0.

    And while you make this XGs87w as in SSL VPN client by adding an SSL VPN Server file ( file of XGS107w) it has added the same network 10.81.234.0 route via tun21 as XGS107w has the same network 10.81.234.0 in SSL VPN Assigned IP pool settings.



    So changing the network to any one XGS end ( more preferable would be where no users are using Sophos SSL VPN remote access or fewer users using Sohps SSL VPN remote access) will avoid duplication in tun network settings and will fix the issue. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • +1

    Hi  : Based on the "route -n" output on XGS87w I can see 10.81.234.0 is reflecting twice via tun0 and tun21. This means XGS87w which is acting as in SSL VPN client (for SSL site to site) has reachability to the same network via 2 tunnel interfaces. Due to that probably in traffic and out traffic is marking via different tunnel interfaces and traffic is getting marked as in "IP_Spoof".

    This can only happen if both the XGS which are part of the SSL site-to-site tunnel has the same "Assign IPv4 addresses" network settings inside the SSL VPN settings.

    i.e. XGS87w has assigned an IP pool from network 10.81.234.0 via tun0.

    And while you make this XGs87w as in SSL VPN client by adding an SSL VPN Server file ( file of XGS107w) it has added the same network 10.81.234.0 route via tun21 as XGS107w has the same network 10.81.234.0 in SSL VPN Assigned IP pool settings.



    So changing the network to any one XGS end ( more preferable would be where no users are using Sophos SSL VPN remote access or fewer users using Sohps SSL VPN remote access) will avoid duplication in tun network settings and will fix the issue. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children
No Data
Unfiltered HTML