Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 92 views
  • Users 1 member is here
Options
Suggested

Sophos firewall IPSec site-to-site with Mikrotik

nauriz

 have two local networks on Sophos firewall, one is 192.168.0.0/24 which is on LAN_P5(physical interface) and other is 10.35.11.0/24 which is on port 5.11(VLAN).
I made an IPSec tunnel with a Mikrotik router, which has a LAN network 192.168.1.0/24.
All policies are the same for both sophos LANs and also there are policies for both LANs on Mikrotik.
The problem:
From Mikrotik I can ping any host on network 10.35.11.0/24, but on network 192.168.0.0/24 I can only ping Sophos address 192.168.0.1, all other addresses are not responding.
If I ping from the Sophos side using ping -a 192.168.0.1 192.168.0.0/24 (any host on this network) the ping is answered.
Here are packet captures from Sophos to ping examples to both Sophos network hosts from Mikrotik.
Ping from 192.168.1.1 (Mikrotik router on other end of ipsec tunnel) to 10.35.11.2

Ping from 192.168.1.1 (Mikrotik router on other end of ipsec tunnel) to 192.168.0.80

Route precedence is set to vpn static sdwan

Tried also setting IPSec route - system ipsec_route add net 192.168.0.0/255.255.255.0 tunnelname IPSec_tunnel

I have no more ideas what to test.



Added TAGs
[edited by: Erick Jan at 7:50 AM (GMT -8) on 15 Jan 2025]
Parents
  • 0

    Hi Nauriz,

    Thank you for reaching out to Sophos Community.

    Kindly check the route to see if it’s passing to the correct route/check the packet via TCPdump/traceroute, and check the IPsec logs.

    Verify the firewall rules for if the packet was dropped/blocked.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    As I wrote if I ping to network 10.35.11.0/24 every live host replys, if I ping to network 192.168.0.0/24, only 192.168.0.1 replys which is sophos address, firewall rules and IPSec profile and IPSec tunnel settings for both networks are the same. From sophos if I try to ping, then I can ping any host on Mikrotik LAN which is 192.168.1.1/24, so firewall should not be the problem. As it can be seen in image - when I try to ping from Mikrotik LAN to sophos LAN hosts it is trying to do ARP-NDP requests from 192.168.0.80 to 192.168.1.1, even if traffic to 192.168.1.1 must be routed because it is on other end of the tunnel so no ARP lookup should be done.
    For what to look in TCPdump? 

Reply
  • 0 in reply to Erick Jan

    As I wrote if I ping to network 10.35.11.0/24 every live host replys, if I ping to network 192.168.0.0/24, only 192.168.0.1 replys which is sophos address, firewall rules and IPSec profile and IPSec tunnel settings for both networks are the same. From sophos if I try to ping, then I can ping any host on Mikrotik LAN which is 192.168.1.1/24, so firewall should not be the problem. As it can be seen in image - when I try to ping from Mikrotik LAN to sophos LAN hosts it is trying to do ARP-NDP requests from 192.168.0.80 to 192.168.1.1, even if traffic to 192.168.1.1 must be routed because it is on other end of the tunnel so no ARP lookup should be done.
    For what to look in TCPdump? 

Children
No Data
Unfiltered HTML