Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 658 views
  • Users 0 members are here
Options
Suggested

Trouble routing a packet from site A via site B to site C (with SNAT)

apijnappels

I have something strange for the following situation.

VPN connection between site A and site B (tried both policy-based and route-based) and a policy-based VPN-connection between site B and site C.

Intention is to reach site C from site A while there is no possibility to add Site A's subnet to the tunnel between B and C. Therefore from B the traffic should be SNATted to a site B ip-address.

  • Site C's subnet is in the tunnel between site A and site B.
  • Site A can succesfully reach resources at site B.
  • Subnet Site A: 10.0.0.0/24
  • Subnet Site B: 192.168.21.0/24
  • Subnet Site C: 10.23.1.0/24

At site B we did a packet capture to see what happens with the traffic and this is what happens with a ping from site A to site B, which is expected output, packet comes in gets forwarded, reply comes in and gets forwarded back to source:

However, when pinging to site C we see the packet arriving on ipsec0 just as above, then the second packet is weird; it lists traffic from ipsec0 to ipsec0 as status Generated (and not forwarded) with the source and destination address inverted and from the pinging station at site A they receive a really strange output:

  • I tried adding ipsec_route to 10.23.1.0/24 net from the console at site B
  • tried it without the ipsec_route
  • for route-based VPN I also created a SD-WAN route to 10.0.0.0/24 network to the tunnel interface
  • Route precedence is: VPN, SD-WAN, Static
  • tried to NAT traffic for 10.23.1.0/24 with firewall rule with Linked NAT rule
  • tried to NAT this subnet directly from the policy based ipsec connection

Most of the time it is just a request timeout and at some config we got the above strange output from ping.

Site A is a OPNsense firewall, site B is the Sophos XG with 19.5.3 MR-3 version on it. Site C has Cisco firewall IIRC.

I don't know what else I can try or where I am making a thinking fault. I have similar setups on other sites where traffic from A is SNATTED at B to C and they all work flawlessly, but not on this occasion.

Anyone have a clue what I'm missing and why the packet capture status says Generated instead of Forwarded?



Added TAGs
[edited by: Raphael Alganes at 1:52 AM (GMT -7) on 12 Jul 2024]
Parents
  • 0

    My thought here is: Why using a Firewall in between, both could connect between each other, if that is needed. 

    And why do you have to NAT? 

    When you reach Site C, can you also show us the packet capture? And also show us the NAT rule you are using. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Here's a packet capture from same site B and same site C. Site A is now my home firewall, this one is working as expected:

    Here you see the traffic coming in from tunnel interface (xfrm4) from 172.16.16.100 destined for 10.23.1.42. Traffic is translated to 192.168.21.3 and forwarded to ipsec0 connection to destination. 
    Ping reply comes back from ipsec0 interface to translated address and lastly gets forwarded to the original source.

    While site B and site C are the same and I believe I have the same set of rules for this site A, I don't know what I am missing here...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to LuCar Toni

    Here's a packet capture from same site B and same site C. Site A is now my home firewall, this one is working as expected:

    Here you see the traffic coming in from tunnel interface (xfrm4) from 172.16.16.100 destined for 10.23.1.42. Traffic is translated to 192.168.21.3 and forwarded to ipsec0 connection to destination. 
    Ping reply comes back from ipsec0 interface to translated address and lastly gets forwarded to the original source.

    While site B and site C are the same and I believe I have the same set of rules for this site A, I don't know what I am missing here...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
Unfiltered HTML