Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2756 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only one way traffic ipsec site to site vpn

PeteH

I have a new Sophos XGS116 I have just installed replacing a Cisco ASA5506. (Site B)

I setup the s2s with the same profile and settings (not subnet or public IP) as I use on another XGS116 (Site C) for the same customer.

Both these 116s have a site to site vpn that goes to a main office Cisco ASA5506. (Site A)

On site C the s2s works fine.

However on Site B the Site2site connects up instantly and I can ping / RDP from a server at Site A to a PC at site B but I cant ping etc from site B to the server or anything at site A.

Ive set the route precedence to VPN traffic first.  I have two fw rules for VPN traffic at the top of my rules.  (On Site C I havent had to do either of those things) I deleted and redid the VPN on the Cisco side at Site A as well but still the same.

Ive did a Packet trace on the Sophos when I did a ping from Site B but it didnt show any issues.  Just forwarding and incoming I think it said.  It didnt show anything that looked bad.

Anyone got any ideas of what else I can try?



This thread was automatically locked due to age.
Parents
  • 0

    Hello ,

    Thanks for reaching out to Sophos Community.

    What are the results when you perform a traceroute from SiteB -> A? Also, could you confirm if ICMP is enabled on VPN zone of siteA? Also, does this happen to every machine on SiteB going to A? 

    Could you also perform drppkt capture on console while simulating ICMP from siteB->A: drop-packet-capture 'host <destination IP> and proto ICMP' and kindly share results. 

    Thanks for your time and patience and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    I think ive figured out what the issue is.  I just dont know how to fix it.

    Comparing to site C.  I have seen the dns traffic between the PC and the DNS server that is across the s2s vpn on that firewall hit the correct VPN firewall rule but no Nat rule.  

    On Site B, the same dns traffic that is going to the DNS server across the vpn is hitting the correct fw rule but then also hitting the LAN-WAN Nat rule. 

    I am guessing I dont want it to NAT.    

    On the setup for Site C I did the fw rules with linked NAT but found out that isnt how you are supposed to set up fw rules so on this later fw I didnt do that but now this has caused this issue.   

    How do I make the vpn traffic not hit the lan-wan rule?

  • 0 in reply to PeteH

    Did you configure the IP-addresses correctly in the tunnel? You wouldn't expect NAT to be necessary inside a tunnel where it usually can just route traffic between two sides.

    Besides that if you think that is the solution, you can always create an extra NAT rule to test things out. Make sure however to put this NAT rule above the current LAN to WAN NAT rule.

    Maybe check your current NAT rule that you don't have any everywhere, but change destination to WAN so this rule should not be possible to match on VPN traffic.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Subnets have been quadruple checked.  Theres only one subnet either side on the s2s and they are correct. 

    Ive looked at similar issues on this forum and they seem to mention a licence issue.   On this firewall its licenced and synced up so I dont think its that.

    what nat rule would i do?  Am I doing a nat rule to pick up the vpn traffic to tell it to not nat?

  • 0 in reply to PeteH

    If your current (global) NAT rule has any both as source and destination set to MASQ you could change the destination to WAN zone. In that case you are certain that this NAT rule would not pick up any traffic destined for a VPN zone.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks.  I tried that yesterday but found there was nowhere to put a zone as a destination on the NAT.

    Whilst there i redid the rules to be linked exactly how i had setup siteC.  This made the traffic stop nating which was good but the traffic still didnt work properly.  So I deleted the vpn and network object on SiteAs Cisco and redid the VPN.  Once i did that, traffic worked correctly.

Reply
  • 0 in reply to apijnappels

    Thanks.  I tried that yesterday but found there was nowhere to put a zone as a destination on the NAT.

    Whilst there i redid the rules to be linked exactly how i had setup siteC.  This made the traffic stop nating which was good but the traffic still didnt work properly.  So I deleted the vpn and network object on SiteAs Cisco and redid the VPN.  Once i did that, traffic worked correctly.

Children
No Data
Unfiltered HTML