Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can’t route self-generated packets

Hello, I work on 2 Sophos XG on 2 different sites. They communicate with each other using a Site-to-Site IPSec VPN.

  • Site A : Sophos-XGS 33100 (SFOS 19.5.3)
  • Site B : Sophos-XG 330 (SFOS 19.5.3)

3 subnets of Sophos A are configured to be able to communicate through the VPN.

  • Network A : Management
  • Network B : Backup
  • Network C

Each subnet has a dedicated VLAN and a virtual interface used as a gateway.

The auto-generated packets by the Sophos of site A destined for site B are automatically sent through the gateway of Network B (Backup). I am trying to know how to select the interface on which the packets auto-generated by the Sophos of the site A will be sent to the site B.

Original need

I wanted to connect the Sophos firewall on site A to an LDAP server located on site B. So I added the connection information to my LDAP server in "Authentication > Servers". When I did a connection test, the “Packet capture” diagnostics tool displayed the IP of the gateway of network B “Backup” as the source IP of the dedicated auto-generated packets.

However, I wanted the IP to be the one of the management networks (or another dedicated to it). I couldn't find any settings on the "AD server" part.

Temporary solution

I realized that the choice of gateway used for sending auto-generated packets is not random. This is actually the gateway for the first subnet allowed in my site-to-site VPN configuration. By changing the name of my network A “Management”, the placing in alphabetical order moves it to the first position.

After applying the changes, the source IP of my packets was indeed the one of my management network.

It works well but I don't find it very clean and intuitive. In addition, my networks and their names may change in the future.

Desired solution

I want to be able to clearly define which gateway to use. I studied a few options such as configuring an IPSec route, but I'm not sure that it’s what I need...

Would anyone be able to answer my needs or give me a lead please?

 



This thread was automatically locked due to age.
Parents
  • Hi  Thank you for reaching out to the Sophos community. The help section below is a good reference to get an understanding in terms of configuration for routing system-generated authentication queries through an IPsec tunnel. Also, it has covered both the type tunnel scenario i.e. PBVPN and RBVPN both.

    Section - "Translate the addresses of gateways system-generated traffic uses" will cover how to change the NAT address.

    Route system-generated authentication queries through an IPsec tunnel:

    https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationADIPsecRouteSysGenTraffic/index.html

    O
    R You may refer below KBA on same kind of topic:

    Sophos Firewall: Route traffic through an IPsec VPN tunnel
    https://support.sophos.com/support/s/article/KB-000035839?language=en_US

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi and thank you for your answers. It looks like this solved my problem, but I can't be sure if this is because of this modifications. See what I did:

    On the CLI I added an IPSec route and a sys-traffic-nat rule:

    system ipsec_route add host IP-OF-MY-AD-SERVER tunnelname NAME-OF-MY-IPSEC-CONNECTION
    set advanced-firewall sys-traffic-nat add destination IP-OF-MY-AD-SERVER snatip IP-OF-MY-MANAGEMENT-GATEWAY

    After applying these commands, I remodified the name of the management network by removing the "A" from the name, so that it returned to second position. After applying the changes, the requests were sent by the management interface, as I wanted.

    However, by deleting the 2 newly created rules (IPsec route + sys-traffic-nat), my packets are still sent by the management interface. So I wonder if everything I did had an impact...

    What do you think about this?

  • Hi   Assuming - It may be possible due to the existing connection not being flush which was present on the appliance, Traffic used the same connection and SNAT IP as in the management interface network IP that you want in your use case, Probably after a while when the existing connection flushed due to no traffic and new traffic will come again and XG will do route lookup or connection establishment at that time you may encounter an issue again. So as guided in the above KBA and Help section it is better to keep the SNAT and IPSec route for the destination host in a policy-based VPN scenario for appliance (device) generated traffic as per your current requirements.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hi   Assuming - It may be possible due to the existing connection not being flush which was present on the appliance, Traffic used the same connection and SNAT IP as in the management interface network IP that you want in your use case, Probably after a while when the existing connection flushed due to no traffic and new traffic will come again and XG will do route lookup or connection establishment at that time you may encounter an issue again. So as guided in the above KBA and Help section it is better to keep the SNAT and IPSec route for the destination host in a policy-based VPN scenario for appliance (device) generated traffic as per your current requirements.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children