Device on BO side of IPSec Site-to-site unable to ping HO side

Question

I have a scenario and trying to set something up for the interim. 
 In essence, the requirement is to get an APP server at location A to connect to DB server in location B. 
 The main issue with this is that both locations have the same subnet (E.g 172.16.0.0/29) We already advised that the only reliable solution is to change one of the sites' subnets, but not for the time being. 
 
 What we're trying as temporary: 
 Both the Hyper-V hosts have additional NICs that we've got directly connected to Port5 on their sites' respective Sophos XG230s, and the VMs have been assigned these NIC's adapters on VSwitches. 
 A quick diagram: 
 Assigned site A's Sophos Port5 an IP of "192.168.10.2" and site B's Sophos Port5 "192.168.11.2" Assigned site A's APP server an IP of "192.168.10.15" and site B's DB server an IP of "192.168.11.13" Set up the remote and local subnet on each side of the site-to-site ("192.168.10.0/24" and "192.168.11.0/24") Added persistent routes on each server (E.g.: Dest. 192.168.10.0, Mask. 255.255.255.0, GW. 192.168.11.2, Int. 192.168.11.13, Metric. 26) Added static unicast IPv4 routes on each Sophos pointing its local network to the interface (E.g.: IP/Mask. 192.168.10.0/255.255.255.0, GW. None, Int. Port5) Also disabled both servers' Windows firewalls. The current results are as follows: 
 Ping from Site A Sophos:

To Site A APP server (192.168.10.15) - Response with 1ms latency

To Site A Port5 (192.168.10.2) - Response with 1ms latency

To Site B DB server (192.168.11.13) - Response with ~20ms latency

To Site B Port5 (192.168.11.2) - Response with ~20ms latency

Ping from Site A APP Server:

To Site A APP server (192.168.10.15) - Response with 1ms latency

To Site A Port5 (192.168.10.2) - Response with 1ms latency

To Site B DB server (192.168.11.13) - Response with ~20ms latency

To Site B Port5 (192.168.11.2) - Response with ~20ms latency

Ping from Site B Sophos:

To Site A APP server (192.168.10.15) - Response with ~20ms latency

To Site A Port5 (192.168.10.2) - Response with ~20ms latency

To Site B DB server (192.168.11.13) - Response with 1ms latency

To Site B Port5 (192.168.11.2) - Response with 1ms latency

Ping from Site B DB Server:

To Site A APP server (192.168.10.15) - No response

To Site A Port5 (192.168.10.2) - No response

To Site B DB server (192.168.11.13) - Response with ~20ms latency

To Site B Port5 (192.168.11.2) - Response with ~20ms latency

Here are some packet capture screenshots: When pinging 192.168.10.2 (Site A Port5) from 192.168.11.13 (Site B DB Server): 
 Site B Sophos packet capture: (Using BPF string: host 192.168.0.2 and icmp) 
 Site A Sophos packet capture: (Nothing) 
 When pinging 192.168.11.2 (Site B Port5) from 192.168.10.15 (Site A APP Server): 
 Site A Sophos packet capture: 
 Site B Sophos packet capture: 
 Thank you in advance, and know, I'm not happy about this either...

Werner van Niekerk · Accepted Answer

Hi Erick, thanks for responding! 
 I managed to solve my issue: 
 When you mentioned NAT I decided to check the logs again and this time focusing on the firewall rules and NAT rules being used. 
 What I noticed in the firewall logs was that: 
 - When pinging from Site A to Site B, it was using the firewall rule I had setup for the VPN, and NAT rule 0 
 - When pinging from Site B to Site A, it was using the firewall rule I had setup for the VPN, but NAT rule 2 (Default SNAT) 
 
 The differences between the SNAT rules were: 
 - Site A's default SNAT rule had it's destination set to its WAN ports 
 - Site B's default SNAT rule had it's destination set to Any

I changed Site B's default SNAT rule destination to it's WAN ports. 
 
 Working.

Erick Jan · Answer

Hi, 
 Thank you for reaching out to Sophos Community. 
 Kindly check the following KB which might assist you. 
 
 NAT with policy-based IPsec when local and remote subnets are the same

Device on BO side of IPSec Site-to-site unable to ping HO side

Top Replies