I have two Sophos XG firewalls (these are both the free "for home" software appliances) and a third Palo Alto firewall that I am attempting to connect using site-to-site IPSEC tunnels. Although it appears that I've got the tunnels up and working, I'm having trouble getting any traffic to pass through the tunnels.
I'm attempting to get the connectivity between the two Sophos XG firewalls first, as it seems that connecting two of the same device should be straightforward and neatly avoid any interop/compatibility snafus. The IPSEC tunnel is showing two green lights - active and connected. The tunnel is configured as site to site with a preshared key, and I've confirmed that the local/remote networks match. The Phase 1 encryption in the policy is AES256/SHA2 256; phase 2 is AES256/SHA2 512.
I believe the tunnel itself is operational; 'show vpn connection status' within the CLI gives this (I've changed the IPs to protect the innocent):
"RemoteSiteA-1": 10.10.35.0/24===9.100.0.2---9.100.0.1...9.200.0.2===10.0.64.0/24; erouted; eroute owner: #188
"RemoteSiteA-1": srcip=unset; dstip=unset;
"RemoteSiteA-1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 120s; rekey_fuzz: 0%; keyingtries: 3
"RemoteSiteA-1": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+failureDROP; prio: 24,24; interface: Port3; encap: esp;
"RemoteSiteA-1": dpd: action:restart; delay:30; timeout:120;
"RemoteSiteA-1": newest ISAKMP SA: #187; newest IPsec SA: #188;
"RemoteSiteA-1": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)-MODP2048(14); flags=strict
"RemoteSiteA-1": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
"RemoteSiteA-1": IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
"RemoteSiteA-1": ESP algorithms wanted: AES(12)_256-SHA2_512(7); flags=strict
"RemoteSiteA-1": ESP algorithms loaded: AES(12)_256-SHA2_512(7); flags=strict
"RemoteSiteA-1": ESP algorithm newest: AES_256-HMAC_SHA2_512; pfsgroup=<Phase1>
#188: "RemoteSiteA-1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2080s; newest IPSEC; eroute owner
#188: "RemoteSiteA-1" esp.ca60b0ca@9.200.0.2 esp.a24bd723@9.100.0.2 comp.9d2f@9.200.0.2 comp.7886@9.100.0.2 tun.0@9.200.0.2 tun.0@9.100.0.2
#187: "RemoteSiteA-1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27279s; newest ISAKMP; lastdpd=18s(seq in:719 out:0)
The event logs in the GUI appear to indicate success, as well:
packet from 9.200.0.2:500: "RemoteSiteA-1" DPD: Dead peer detection enabled
IPSec Connection RemoteSiteA-1 between 10.10.35.0/24 and 10.0.64.0/24 established.
packet from 9.200.0.2:500: RemoteSiteA-1 EST-P2: Responding to a Phase-2 establishment request with message id 8e984811
packet from 9.200.0.2:500: "RemoteSiteA-1" DPD: Dead peer detection enabled
packet from 9.200.0.2:500: RemoteSiteA-1 EST-P1-MM peer id is ID_IPV4_ADDR: '9.200.0.2'
packet from 9.200.0.2:500: NAT-T :No NAT device detected between Local Server and Remote Server
"RemoteSiteA-1" EST-P1-MM: Responding to establishment request from peer
"RemoteSiteA-1" activation: Activated Successfully
packet from 9.200.0.2:500: RemoteSiteA-1 SA-MGT: Peer requested to delete Phase-1 SA. Deleting ISAKMP state 185
IPSec Connection RemoteSiteA-1 between 10.10.35.0/24 and 10.0.64.0/24 terminated.
packet from 9.200.0.2:500: RemoteSiteA-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 186
Both sides have any/any LAN -> VPN and VPN -> LAN firewall rules in place.
According to the knowledge base article on the topic (https://community.sophos.com/kb/en-US/123320), this configuration is all that is needed to establish this connection. The XG devices are at this point expected to automatically handle any routing necessary to facilitate passing of traffic across this link.
But it's not working - I cannot get valid responses back from either side.
A few other observations based on my troubleshooting:
- For completeness, I have double-confirmed that all traffic is using the reaching the XG as expected. It is the egress firewall for both sites. There are no routing loops on either side. As I mentioned above, I've got any/any rules for VPN <-> LAN on both sides.
- There's no way to add static routes to 'force' traffic to the ipsec tunnel via the GUI, as the static route configuration page in the GUI only lists the physical ports (Port1, Port2, Port3, etc).
- On a lark, I successfully established a GRE tunnel between these firewalls (and passed traffic!) but couldn't get the GRE tunnel to use the IPSEC tunnel. While this serves to confirm that there's no other barriers in the way (such as software firewalls, or other IP configuration problems), encapsulated-but-unencrypted traffic over the WAN is mildly horrifying.
- There's a few CLI options that I've toggled back and forth but they haven't made any apparent changes.
‘system diagnostics utilities route lookup <ip>' is the nearest thing that I've been able to locate to a routing table; when the GRE tunnel is up, it reports '<ip> is located on the gre, <ip> is not behind a router.'
With just the IPSEC tunnel up, it reports '<ip> is located on the Port3, <ip> is reached through the router 9.100.0.1'. In this case, Port 3 is WAN and the router listed is my next-hop.
I used the command 'system ipsec_route add net 10.0.64.0/255.255.255.0 tunnelname RemoteSiteA' to add what appears to be a static route (on both ends). This does change the output of the route lookup command ('<ip is located on ipsec0, <ip> is not behind a router') but traffic still does not pass. - I've confirmed the route_precedence is 1.) VPN, 2.) Static.
- Using the packet capture utility, I’m able to see ICMP traffic from either side of the tunnel. The entries list the expected private source/destination IP address, and the out interface is listed as ipsec0. It lists the correct rule ID for the ANY/ANY rule, and a status of “Forward…”, but the ping gets a request timeout.
Any ideas? Thanks in advance for any help!
This thread was automatically locked due to age.
