Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site2site tunnel routing issues

Hi,

I already setup several IPSec tunnels on Sophos XG, but this time it doesn't work. The two green lights show up, tunnel seems to be up, because the remote site (Fortigate FW) can ping our domain controller. A ping to the server on the remote site fails.

"system ipsec_route show" showed no routes so I set up one:


tunnelname host/network netmask
plusserver 172.16.0.0 255.255.255.0

doing a traceroute stops at the first provider router. I also configured SNAT:

set advanced-firewall sys-traffic-nat add destination 172.16.0.0 netmask 255.255.255.0 snatip 192.168.0.254

 

Local Site:

Network: 192.168.0.254/16

 

Remote Site: 
Network: 172.16.0.0/24

Thank you in advance!

 



This thread was automatically locked due to age.
Parents
  • Ludwig,

    try ti recreate the Site to Site vpn. Make sure LAN to VPN and VPN to LAN firewall rules exist.

    I had an issue with VPN where one network was not working and the problem was a "ghost route" inside the XG table. Use route -n from advanced shell and check the routing table before re-creating the tunnel again.

    Regards

  • Hi,

    thanks for the Reply! I already recreated the tunnel, but no improvements. Here is the Output:

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.81.234.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
    10.255.0.0      0.0.0.0         255.255.255.0   U     0      0        0 GuestAP
    172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
    172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 Port8
    185.19.198.0    0.0.0.0         255.255.254.0   U     0      0        0 Port2
    192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 Port1

    Best regards

Reply
  • Hi,

    thanks for the Reply! I already recreated the tunnel, but no improvements. Here is the Output:

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.81.234.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
    10.255.0.0      0.0.0.0         255.255.255.0   U     0      0        0 GuestAP
    172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
    172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 Port8
    185.19.198.0    0.0.0.0         255.255.254.0   U     0      0        0 Port2
    192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 Port1

    Best regards

Children