This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

help to configurate IPSec VPN sophos xgs136

Davide Filippi 8 months ago

Hello everyone,

I need help setting up an IPsec VPN.

My provider gave me these parameters:

Remote Gateway: <public address A>

Subnet: <range of public addresses B>

Phase1 and Phase2 parameters that I know it have to match

Firewall XGS136

I have a public masquerade ip address and another public ip for incoming connections

Thanks

This thread was automatically locked due to age.

Top Replies

Vivek Jagad 8 months ago +1 suggested

Hello Davide Filippi , Thank you for reaching out to the community, you can refer the Create a policy-based IPsec VPN using preshared key .

Parents

0 Vivek Jagad 8 months ago

Hello Davide Filippi ,

Thank you for reaching out to the community, you can refer the Create a policy-based IPsec VPN using preshared key.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Davide Filippi 8 months ago in reply to Vivek Jagad

Thank you for the response. I had already followed this guide and the result is that the tunnel is up but the provider tells me that from his side he can send packets but not receive them. Indeed, if I try to do a tracert, I see that after my firewall, it is not forwarded in the VPN tunnel.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J 8 months ago in reply to Davide Filippi
Hello Davide Filippi ,

Please create a new test firewall rule from VPN to LAN and LAN to VPN and keep the rule position on TOP for troubleshooting.

Make sure ping is enabled under Go to Administration > Device access. Under Ping/Ping6, select VPN.

To see an IPsec connection, go to Current activities > IPsec connections.

Regards
"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Davide Filippi 8 months ago in reply to Bharat J

Hi Bharat

As you suggest I've created two firewall rules on top but still doesn't work

Also, in packet capture I see
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels 8 months ago in reply to Davide Filippi

The upper rule ipsec0 to Port1 gives a Violation. Can you check the corresponding logging in firewall logging if you can find what happens there?

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel
0 Davide Filippi 8 months ago in reply to apijnappels

Cannot find firewall log. Neither if I filter "In interface: ipsec0" or "src ip: <ip address of my supplier>".

No record found
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J 8 months ago in reply to Davide Filippi

Please check by removing source network and destination network as any.If you have added static routing for IPsec please remove it

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels 8 months ago in reply to Davide Filippi

Firewal log can be found in top right section of webinterface, it's called Log Viewer. From there you should be able to filter on different fields.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel
0 Davide Filippi 8 months ago in reply to apijnappels

Bharat J I have no static routing for ipsec or nat rules. But if I remove source and destination network and keep only soruce and destination zone then in packet capture I can see status forwarding and not violation. Also, with wireshark, I can see ping request and reply.

apijnappels Yes, i've check on log viewer but even if now it works I cannot see logs.

Now the problem is in reply. When I receive the ping I can see "In interface" ipsec0 but when I reply to ping I see "Out interface" port2.

Port1 is my lan interface

port2 is my wan interface (where I have multiple ip)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Davide Filippi 8 months ago in reply to apijnappels

Bharat J I have no static routing for ipsec or nat rules. But if I remove source and destination network and keep only soruce and destination zone then in packet capture I can see status forwarding and not violation. Also, with wireshark, I can see ping request and reply.

apijnappels Yes, i've check on log viewer but even if now it works I cannot see logs.

Now the problem is in reply. When I receive the ping I can see "In interface" ipsec0 but when I reply to ping I see "Out interface" port2.

Port1 is my lan interface

port2 is my wan interface (where I have multiple ip)
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Bharat J 8 months ago in reply to Davide Filippi

Seems you have added static route under configure | routing | static route

please share screenshot for same.

Also,Please check what you see under IPsec live connection as guided above.

Which firewall you have in remote end sophos or third party firewall?

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel