Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 3 answers
  • Subscribers 43 subscribers
  • Views 4555 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full tunnel site to site IPsec VPN bug

Shunze Lee

Hi All,

We have a question in Full tunnel site to site IPsec VPN.
When we create a local 192.168.183.50/32 to remote Any site to site IPsec VPN.

 

We found that XG's own routing will also be carried out through this VPN tunnel.

There is a similar discussion in the forum, link as below.

https://community.sophos.com/sophos-xg-firewall/f/discussions/127846/firewall-traffic-gets-routed-in-full-tunnel-ipsec-vpn?ReplySortBy=CreatedDate&ReplySortOrder=Ascending

I have tried 17.5.14 and 19.0.3, and both of them have the same bug.

Does anyone know which version of firmware this bug is resolved in?



This thread was automatically locked due to age.
Parents
  • +1

    Sophos has addressed the issue, and will fix in 20.0.1 MR-1.

    Before the firmware release, client only can raise a case to get the patch to resolve the bug.

  • 0 in reply to Shunze Lee

     Additionally, a fix for this will be implemented via the below console command-based option (from v20.0MR1 or v21.0 releases):

    console> show routing policy-based-ipsec-vpn system-generate-traffic
    On

    Note: The default setting is ON.

    console> set routing policy-based-ipsec-vpn system-generate-traffic enable/disable

    enable Send system-generated traffic through policy-based IPsec connections.

    disable Don't send system-generated traffic through policy-based IPsec connections.

    Disable will address this issue and doing this setting will restart strongswan service. hence service impact is expected during the applying or revering settings via the above console command.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • 0 in reply to Shunze Lee

     Additionally, a fix for this will be implemented via the below console command-based option (from v20.0MR1 or v21.0 releases):

    console> show routing policy-based-ipsec-vpn system-generate-traffic
    On

    Note: The default setting is ON.

    console> set routing policy-based-ipsec-vpn system-generate-traffic enable/disable

    enable Send system-generated traffic through policy-based IPsec connections.

    disable Don't send system-generated traffic through policy-based IPsec connections.

    Disable will address this issue and doing this setting will restart strongswan service. hence service impact is expected during the applying or revering settings via the above console command.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children
No Data
Unfiltered HTML