Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XFRM Interface Diagnostic

2 XGS connected via ISP PTP fiber as primary. 

Each XGS has a second ISP which will be used for a IPSEC tunnel in case the primary link fails.

Currently OSPF is in use.

I have a IPSec VPN between 2 XGS using a tunnel.  Both XFRM interfaces are 192.168.31.1 and 192.168.31.2.

Each XGS can ping the other address via the tunnel VPN.  Doable from the ping under diagnostic.

Sophos has not added the XFRM interfaces to diagnostics so I can't tell it to traceroute via the XFRM interface.

I want to make sure rules / polices are working before adding / changing OSPF.

Is there a way to test this from the Advanced Shell or Device Console?

I want to prevent what I did the other day.  I added the tunnel network info to OSPF on each XGS as shown on a help document.  After I did this, the connectivity between (2) XGS went DOWN.  Thankfully, I was able to login via central and remove the changed OSPF.  Still not sure what I did wrong, other than I think I did not have a rule in place for one of the XFRM interfaces.

Ideas?  

The scenario above is for connectivity between 2 offices.  Should we use OSPF, or Sophos SDN?  Can both be used at once without issues?  



This thread was automatically locked due to age.
Parents
  • Below set of commands can be used from the advanced shell to understand the connectivity status and VPN tunnel diagnostics purpose.

    • ip route show all
    • ip route get <remote host ip>
    • Ping the remote host ip from Sophos firewall to verify that ipsec endpoint can reach remote network through VPN tunnel.
    • tcpdump -ni xfrm<>
    • tcpdump -n host <ip address> and esp (use the remote host ip address used for ping)
    • ifconfig xfrm< >
    • netstat -ip
Reply
  • Below set of commands can be used from the advanced shell to understand the connectivity status and VPN tunnel diagnostics purpose.

    • ip route show all
    • ip route get <remote host ip>
    • Ping the remote host ip from Sophos firewall to verify that ipsec endpoint can reach remote network through VPN tunnel.
    • tcpdump -ni xfrm<>
    • tcpdump -n host <ip address> and esp (use the remote host ip address used for ping)
    • ifconfig xfrm< >
    • netstat -ip
Children
No Data