Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 3188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access remote server via IPSec s2s after migration (xg135w to xgs136)

Pawel_L

Hi,

We have an IPSec s2s connection, and there is a remote subnet 10.0.0.0/255.255.255.0.

Migration was done with configuration export/import and it seemed almost everything migrated successfully (only some firewall rules involvind ad users where missing).

On new device I can't ping or access remote AD server from xgs, which is crucial (AD controller).

  1. Old device (working):
    • ping 10.0.0.100 (remote server) from sophos ssh - OK
    • ping 10.0.0.110 (remote AD controller) from sophos ssh - OK
    • ping 10.0.0.110 (remote AD controller) from local PC - OK
    • packet capturing: packet is sent through ipsec0 interface from 10.0.1.1  (Port1 - LAN). No NAT or firewall rule applies.
  2. New device (not working):
    • ping 10.0.0.100 (remote server) from sophos ssh - OK
    • ping 10.0.0.110 (remote AD controller) from sophos ssh - FAILS
    • ping 10.0.0.110 (remote AD controller) from local PC - OK
    • packet capturing: packet is sent throuth ipsec0 interface but from 169.254.234.5 (ipsec0 interface). No NAT or firewall rule applies.

What may be causing the difference?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    I thought the same, but couldn't figure out what can cause the difference after configuration migration, nor couldn't find a place where this can be configured:

  • 0 in reply to Pawel_L

    All I can suggest is a restart to see if the address is correctly assigned.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Is there an alternative way to check the assigned address besides packet capturing?

  • 0 in reply to Pawel_L

    Hi  

    What is the output of 'ip route show table 220'. In working case, this should be having src set to LAN ip of XGS

    You can check if there is any routing issue by looking at 'ip route get 10.0.0.110' 

  • 0 in reply to Sreenivasulu Naidu

     

    Working device:

    > ip route show table 220
10.0.0.0/24 dev ipsec0 scope link src 10.0.1.1
> ip route get 10.0.0.110
10.0.0.110 dev ipsec0 src 169.254.234.5 uid 0

    Non-working device:

    > ip route show table 220
10.0.0.0/24 dev ipsec0 scope link src 10.0.2.1
> ip route get 10.0.0.110
10.0.0.110 dev ipsec0 src 169.254.234.5 uid 0

    Both 10.0.1.0/24 and 10.0.2.0/24 are local VLANs.

  • 0 in reply to Pawel_L

    Did you change the local/remote subnets on both ends to reflect the change from 10.0.1.1 to 10.0.2.1 ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Pawel_L

    Generally, 'ip route get' and 'table 220' should be sowing same ip as source ip for a given destination, which is not the case in your setup.

    Since 'src 169.254.234.5' is shown both on XG and after moving on to XGS, you might not have any LAN interface configured with an ip that is part of 'local subnet' used for s2s ipsec tunnel. In such case, on your XG you would be having below 2 cish clis configured via cish (one is for route and the other one for snat) that helps XG generated traffic reaching AD server via the tunnel. Pls. check and ensure the clis are added on your new XGS.

    system ipsec_route add host <Ad server ip>  tunnelname <IPsec s2s tunnel name>

    set advanced-firewall sys-traffic-nat add destination <Ad server ip> snatip <some ip address of 'local subnet' used in the ipsec tunnel.

    On the other hand, if we add a LAN port on XGS with an ip that is part of the 'local subnet' of ipsec tunnel, ipsec tunnel bringup will take care of updating table 220 with the ip configured on the LAN port as source ip. 

  • 0 in reply to Sreenivasulu Naidu

      

    So this needs to be configured in cish?

    console> show advanced-firewall

...(cut)...


        NAT policy for system originated traffic
        ---------------------
        Destination Network     Destination Netmask     Interface       SNAT IP
        10.0.0.110              255.255.255.255                         10.0.1.1

console>

    I wonder how it was configured originally. Is it possible it was done in GUI, or somehow automatically?

  • 0 in reply to Pawel_L

    Yes, can you make this config and let us know if the issue gets resolved.

  • 0 in reply to Sreenivasulu Naidu

      - Could you pls come back with an update, if the suggestion from Sreeni helps to resolve the issue ?

Unfiltered HTML