Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

WIFI "separate zone" didn't work over IPSec

Hi all,

AP configuration works. I am able to remove & add the AP's.
AP's are recognized and shown as active.
I can see the traffic between AP & XGS Port 2712.
Traffic to port 8472 from firewall to AP is not answered, but i see packets from AP to APIPA-address.
SSID's with "bridge to AP-Lan" or "bridge to VLAN" are working.
With "separate zone" there is no traffic from/to the client.
AP's connected directly to XGS or placed behind RED are working.

Network:
AP --- SG-UTM --------- IPSec -------- XGS --- ClientVLan

AP: 10.101.103.15
XGS-Interface at ClientVLAN 10.101.203.1
XGS-Version: SFOS 19.0.5

Packet Capture from SG-UTM:

Greetings,
Dirk



Added TAGs
[edited by: Erick Jan at 12:27 PM (GMT -7) on 26 Aug 2024]
Parents Reply Children
  • I am just wondering: Your dump shows the AP to SFOS on UTM right? 

    Who is the 10.101.103.15? If this is the AP, then the UTM seems not to do the IPsec NAT in the tunnel? 

    In your dump above: 

    You can see, the 10.101.103.15 talks to the 1.2.3.4. which should be the SFOS appliance. 

    To me it looks like the AP does not get the right information how to communicate with the AP. 

    BTW: Separate zone and Bridge to VLAN: Why are you building it at the same time? Separate zone over IPsec has the old limitation of VXLAN overhead. Meaning you will have to adjust the MTUs in the end. 

    __________________________________________________________________________________________________________________

  • Hi Luca,
    thanks for your answer.
    My comments are behind your questions:

    I am just wondering: Your dump shows the AP to SFOS on UTM right?  -- correct

    Who is the 10.101.103.15? If this is the AP, then the UTM seems not to do the IPsec NAT in the tunnel? -- 10.101.103.15 is the AP

    -- The packets from XGS reach the AP with NATed Source-IP (10.101.203.1 is the IP from a XGS-Client-VLAN)

    You can see, the 10.101.103.15 talks to the 1.2.3.4. which should be the SFOS appliance. -- correct

    -- if i use DHCP option 234 with 10.101.203.1 the AP talks to this IP, as long the port is 2712. I can see the full TCP-handshake & datatransfer. Sometimes, i can see packets from 10.101.203.1 to AP:8472 ... but all Port 2712 Packets from AP goes to an APIPA-IP

    To me it looks like the AP does not get the right information how to communicate with the AP. -- i think you mean "...communicate with the XGS" --- correct, but why?? Port 2712 works correctly ...

    BTW: Separate zone and Bridge to VLAN: Why are you building it at the same time? Separate zone over IPsec has the old limitation of VXLAN overhead. Meaning you will have to adjust the MTUs in the end. -- bridge to VLAN send the client to the location-LAN and separate Zone sends the guest to the xgs, which provides internet access + HotSpot for all locations. (i didn't know, how to bridge a isolated Guest-VLAN over IPSec)
    -- the VXLAN limitations have not been a problem so far

    I know that you don't favour "separate zone" or the XGS as a WLAN controller, but it was a unique selling point that convinced many UTM customers. And those who had it would like to continue using it and its possibilities.
    ... and AP6 ... is no better or worse than other AP manufacturers.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • So in 10 years, i never saw any product in UTM or SFOS behave like this. 

    My only guess here is, the interface, the firewall is using, for example Wireless Zone, is this 169.254 IP. Because this IP is one of the Ipsec0 interfaces. 

    What kind of allowed networks do you use in SFOS for wireless?

    About the Separate zone: UTM and SFOS has there MTU problems over the years, as you put a tunnel into a tunnel. Meaning, you have to lower MTUs, which also has some problems to deal with.  

    __________________________________________________________________________________________________________________

  • Hi Luca,

    found the following ... but how to solve?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Just wondering, you put VPN zone into allowed networks on the firewall? 

    Is there any other zone / interface in the allowed networks? 

    __________________________________________________________________________________________________________________

  • yes, VPN zone into allowed networks for WiFi

    yes, multiple zones are allowed (LAN, MGMT, RED, VPN)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • On the SFOS, do you see those packets and are they actually working? Could be, UTM is not sending them through the tunnel. 

    You could try to workaround this by changing the Destination IP to the SFOS LAN IP before the tunnel in UTM and check, if this works. 

    __________________________________________________________________________________________________________________

  • AP-Management/Config (Port 2710) is connected correctly.
    Port 8472 to APIPA-IP is discarded by UTM, so it isn't sent through the tunnel.

    "changing the Destination IP"   .... great idea ... my last attempts didn't work ... but now: the DNAT rule does the trick 

    Thanks a lot !!


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.