Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS 2100 no outbound traffic

Greetings and thanks for reading!

I'll have to start by asking for some patience as I'm new to the Sophos firewall platform.  I'm going to provide a lot of detail to make sure I dont miss something important. I work for a small university and am trying to establish a VPN tunnel between our main campus and an annex location.  The main campus currently has a Sonicwall SuperMassive 9200 (which will be replaced by a Sophos XGS 4500 - but that's down the road).

I've run through the initial setup on the Sophos using the setup wizard and set the firewall to run in Router mode.

Here's my current config:

Main Campus
WAN IP : 64.x.x.x

LAN IP: 205.x.x.x/29 

Local subnets:  10.193.x.x, 10.1.x.x, 10.160.x.x, 172.17.x.x, 172.19.x.x

*these subnets must be able to traverse the VPN.  The 172.x.x.x subnets are Wi-Fi addresses that are only assigned from the DCs at the main campus.

Annex

WAN IP: 23.x.x.x

LAN IP: 10.192.x.x/24

Local Subnets: 10.234.x.x, 10.162.x.x, 10.1.x.x

I have already done a lot of digging into how to connect the tunnel between the Sophos and Sonicwall and have created the following IPsec Profile:

I've created matching entries on the Sonicwall and adjusted the key life to avoid collisions.

I've created the IPsec connection using the profile.  I've set the Sophos as the initiator, provided the pre-shared key, set the listening port to the Sophos WAN port and entered the Sonicwall WAN IP as the Remote Gateway.

I have added a firewall rule to allow VPN traffic from 205.x.x.x/29 to LAN @ 10.192.x.x/24

****Now, we can finally get to my questions!****

I need to assign an IP address to the XFRM1 virtual interface.  Does it matter what this address is?  In the examples I've seen, addresses such as 3.3.3.3 or 4.4.4.4 were assigned, but these are vaild public IP addresses.  Does it matter?

Do I need to add the local subnets into the firewall rule mentioned above?  For example, does 10.160.x.x from the Main Campus need to also be added into the allowed traffic from VPN? Likewise, does 10.234.x.x from the Annex need to be added to the LAN portion of the rule?

I know that I will then need to create a static route, but from what to what? Do I only create a route from 205.x.x.x/29 to the XFRM1 interface, or do I need to create a route for each possible subnet on the Main Campus through the XFRM1?

Furthermore, since I have multiple local subnets behind the Sophos XGS, do I need to create routes for each of those through the LAN interface?

Thank you so much for reading though this rather lengthy post for what is probably basic knowledge in this realm!



This thread was automatically locked due to age.
Parents
  • Hi Josh,

    Thank you for reaching out to Sophos Community.

    Does it matter what this address is?  In the examples I've seen, addresses such as 3.3.3.3 or 4.4.4.4 were assigned, but these are vaild public IP addresses.  Does it matter?

    • The IP address for XFRM1 does not matter as long as it won’t be a conflict with any local subnet. Just make sure that it’s on the same subnet( 3.3.3.3 & 3.3.3.4). 

    Do I need to add the local subnets into the firewall rule mentioned above?  For example, does 10.160.x.x from the Main Campus need to also be added into the allowed traffic from VPN? Likewise, does 10.234.x.x from the Annex need to be added to the LAN portion of the rule?

    • Yes, you need to add all local subnets on your VPN - LAN Firewall Policy to allow traffic. Only those are on the FW policy can pass.
    • You can use packet capture for troubleshooting or log viewer to check if the packets are being dropped and what interface it is going

    I know that I will then need to create a static route, but from what to what? Do I only create a route from 205.x.x.x/29 to the XFRM1 interface, or do I need to create a route for each possible subnet on the Main Campus through the XFRM1?

    • You would need to create separate static routes for each subnet.
    • To access Lan from Sophos, create a static route on the Sonicwall that routes traffic for all subnets going to the XFRM1 interface of Sophos Firewall.

    Furthermore, since I have multiple local subnets behind the Sophos XGS, do I need to create routes for each of those through the LAN interface

    • Yes, Routes to each local subnet behind the Sophos firewall are needed to access the Sonic Wall's LAN interface.

    You may also use the following KB for reference:

     Sophos Firewall: Establish IPsec RBVPN connection between Sophos Firewall and SonicWall 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks Erick, this has resolved my VPN traffic issues. Very much appreciated!

  • Hi Josh,

    That is great to hear, and thank you for the update. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply Children
No Data