WIFI "separate zone" didn't work over IPSec

Hi dirkkotte  Thank you for reaching out to the Sophos community team.

Can you please try adding an IPsec route and system-generated NAT for AP IP on the XGS side and confirm the status of this? 

IPsec Route syntax : system ipsec_route add host <IP address of host> tunnelname <tunnel>

System NAT syntax: set advanced-firewall sys-traffic-nat add destination <Destination or network IP address> snatip <NATed IP>

In the NATed IP use the XGS side Interface IP which is part of the IPSec tunnel network.

Reference: Route system-generated queries through an IPsec tunnel

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationADIPsecRouteSysGenTraffic/index.html#prerequisite-configure-an-ipsec-vpn-tunnel

Once the above route and system NAT is added please reconnect the IPsec tunnel in question and confirm the status for the Wireless Separate zone.

Hi Vishal

That's already configured.

Regards,

Hi dirkkotte Thanks for sharing the update on the same. In that case can you please check PING from XGS to AP IP and confirm whether XGS can reach or not?

Please also collect TCPDUMP and drop on port 8472 to confirm how XGS is generating requests and which IP is picked by XGS or whether that IP is as per the defined SNAT or not while the packet is traversing out to IPSec!  

At the SG-UTM, i've seen correct packets from the firewall at port 8472 too. But traffic from AP use an APIPA-IP as destination.
(older screenshot)

I am just wondering: Your dump shows the AP to SFOS on UTM right? 

Who is the 10.101.103.15? If this is the AP, then the UTM seems not to do the IPsec NAT in the tunnel? 

In your dump above: 

You can see, the 10.101.103.15 talks to the 1.2.3.4. which should be the SFOS appliance. 

To me it looks like the AP does not get the right information how to communicate with the AP. 

BTW: Separate zone and Bridge to VLAN: Why are you building it at the same time? Separate zone over IPsec has the old limitation of VXLAN overhead. Meaning you will have to adjust the MTUs in the end. 

Hi Luca,
thanks for your answer.
My comments are behind your questions:

I am just wondering: Your dump shows the AP to SFOS on UTM right?  -- correct

Who is the 10.101.103.15? If this is the AP, then the UTM seems not to do the IPsec NAT in the tunnel? -- 10.101.103.15 is the AP

-- The packets from XGS reach the AP with NATed Source-IP (10.101.203.1 is the IP from a XGS-Client-VLAN)

You can see, the 10.101.103.15 talks to the 1.2.3.4. which should be the SFOS appliance. -- correct

-- if i use DHCP option 234 with 10.101.203.1 the AP talks to this IP, as long the port is 2712. I can see the full TCP-handshake & datatransfer. Sometimes, i can see packets from 10.101.203.1 to AP:8472 ... but all Port 2712 Packets from AP goes to an APIPA-IP

To me it looks like the AP does not get the right information how to communicate with the AP. -- i think you mean "...communicate with the XGS" --- correct, but why?? Port 2712 works correctly ...

BTW: Separate zone and Bridge to VLAN: Why are you building it at the same time? Separate zone over IPsec has the old limitation of VXLAN overhead. Meaning you will have to adjust the MTUs in the end. -- bridge to VLAN send the client to the location-LAN and separate Zone sends the guest to the xgs, which provides internet access + HotSpot for all locations. (i didn't know, how to bridge a isolated Guest-VLAN over IPSec)
-- the VXLAN limitations have not been a problem so far

I know that you don't favour "separate zone" or the XGS as a WLAN controller, but it was a unique selling point that convinced many UTM customers. And those who had it would like to continue using it and its possibilities.
... and AP6 ... is no better or worse than other AP manufacturers.

So in 10 years, i never saw any product in UTM or SFOS behave like this. 

My only guess here is, the interface, the firewall is using, for example Wireless Zone, is this 169.254 IP. Because this IP is one of the Ipsec0 interfaces. 

What kind of allowed networks do you use in SFOS for wireless?

About the Separate zone: UTM and SFOS has there MTU problems over the years, as you put a tunnel into a tunnel. Meaning, you have to lower MTUs, which also has some problems to deal with.  

Hi Luca,

found the following ... but how to solve?

Just wondering, you put VPN zone into allowed networks on the firewall? 

Is there any other zone / interface in the allowed networks? 

yes, VPN zone into allowed networks for WiFi

yes, multiple zones are allowed (LAN, MGMT, RED, VPN)