Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSec Not Working As Intended

Hi.

I am currently working with a test environment and have configured two XG firewalls to have an IPSec Policy-based site-to-site connection between them. I cannot get the IPSec connection to forward traffic correctly. I have been trying for hours and looked at many online discussions about similar issues, but no success.

Here's how I have the firewalls physically connected:

Firewall A <-------> Firewall B

Very simple, one is connected to the other with Ethernet. On both firewalls, the interface for the link is set to WAN zone and I have configured a small 'pretend' IP block with no actual functioning gateway. Both firewalls can ping eachother.

I have configured the IPSec connection and the connection is successfully established, including the local and remote subnets on both firewalls both showing green in the status overview.

I have configured the firewall rules on both XGs to allow traffic to and from the VPN zone and the local subnets on both sides.

When I use a PC on the branch firewall and try to connect to a PC on the head office firewall (within the remote subnet configured), it will not forward the traffic to the ipsec0 interface. I can see with a packet capture that actually the firewall is trying to forward it to the Internet instead (which would not work, since the local/remote IPs are non-routable).

I have tried to manually add the IPSec routes (using CLI -> system ipsec_route add net) but that does not work either.

Has anyone else ever tried to test a IPSec VPN like this before? Why is it not adding the VPN routes as I am lead to believe it should be? I cannot get the traffic to flow over the VPN connection. I can even see in the rules, that both in and out are zero bytes, and I am 100% sure the rules should be matching the traffic.

I can provide more information if needed.

Can anyone help out?



This thread was automatically locked due to age.
Parents Reply
  • Yes, I believe they should be shown there too. This isn't the first time I've configured a site-to-site with IPSec on an XG. No idea why it isn't working. As for the versions, firewall A is running 19.5.1 MR-1 and firewall B is running 19.5.2 MR-2.

    I will try upgrading firewall A, then deleting the IPSec connection on both and re-creating it. I will post an update.

    Thank you for your time Slight smile

Children