Route-based VPN problem

Question

Good afternoon everybody. I have the following problem. 
 Routed S2S VPN (xfrm) between head and branch and with SDWan activated. Ping between hosts on both networks, ok, working perfectly. 
 Ping from Sophos Firewall to remote network fails. The Firewall directs traffic to the Wan network and not through the VPN. 
 - No static route to the remote network 
 - Routing precedence as follows on both sites: VPN route, SD-WAN route, Static route (I've tried all precedence combinations and the result is the same). 
 I need the branch's Sophos to access the hosts on the main network, as I use Stas authentication. 
 
 Thanks

Vivek Jagad · Answer

Hello Cristiano Monteiro ,

Thank you for reaching out to the community,

Go to Administration > Device access. For the VPN zone, select Ping/Ping6.
Go to Rules and policies > Firewall rules. Make sure Log firewall traffic is turned on in the firewall rules you created.
Continuously ping a device on the branch office LAN. On Windows, start a command prompt and type: ping <ip.address> -t
On Sophos Firewall go to Diagnostics > Packet capture > Configure. In BPF string type the following: host <ip.address> and proto ICMP
Click Save.
Turn on Packet capture. If the ping is successful, you can see the ICMP traffic going out of the xfrm interface.
If the packets are going from the WAN interface, refer direct the traffic over the IPsec tunnel instead of the static route.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.

Route-based VPN problem

Top Replies