Thread Info
Options
Suggested

Site to site ipsec behaviour

Dragos Avram

Hi everyone,

I'm experiencing an issue with a site-to-site IPsec VPN between two Sophos firewalls.

  • From Site A, I cannot ping resources at Site B.

  • From Site B, I can successfully ping resources at Site B.

  • However, if I create a linked NAT rule on Firewall A, the issue is resolved.

This makes me wonder—does traffic destined for the remote site go through the default NAT rule by default? This behavior seems to be occurring in version 21, but I don’t recall it happening in previous versions.

Has anyone else encountered this? Any insights into why this might be happening?

Thanks in advance!



Edited TAGs
[edited by: Erick Jan at 12:44 AM (GMT -7) on 31 Mar 2025]
  • 0

    is this a new firewall setup?
    the test from A to B - is the source for the test the firewall or a LAN device on A?

    • 0 in reply to LHerzog

      in such cases I would always use the packet capture tool from the GUI  - this makes it usually very transparent quickly, no need to access CLI.

      • 0 in reply to LHerzog

        At Site A, I can successfully ping servers at Site B when the traffic originates from the firewall's LAN interface, as expected.

        However, when I attempt to ping from a device at Site A, I can see the traffic being correctly routed through ipsec0. However, on the firewall at Site B, I don’t see any traffic with that source IP.

        I’m looking for some clarification from Sophos, as the firewall at Site B serves as a hub for multiple sites. I was also planning a firmware upgrade since it’s currently running version 19.5.2, but I’ll be addressing this issue with support next week before proceeding.

        • 0 in reply to Dragos Avram

          Are you using Route Based or Policy Based? 

          __________________________________________________________________________________________________________________

          • 0 in reply to Dragos Avram

            Hi,

            Kindly share the case ID if you have one. 

            Also, I'll be deleting your other post. For future reference, kindly avoid posting duplicate posts.

            Erick Jan
            Community Support Engineer | Sophos Technical Support
            Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
            If a post solves your question use the 'Verify Answer' link.

            • 0 in reply to Erick Jan

              Sophos Technical Support.Case#02343127

              • +1 in reply to Dragos Avram

                Hi all,

                Found the issue.

                Default SNAT rule had ANY as outbound interfaces causing traffic to ipsec0 interface to be NAT-ed as well.

            Unfiltered HTML