Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 31840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC site-to-site VPN connects but no traffic passes

Brad Fuller

Hi!

 

We've updated two of our Cyberoams to the new Sophos XG firewall firmware and trying to create a IPsec VPN Site-to-site tunnel. I've read and followed a lot of the posts and guides after I couldn't figure out why it is not passing traffic through.  The VPN tunnel says it is up, but no traffic passes.

The Main unit is a CR100iNG (SFOS 16.05.4 MR-4) and the remote office is CR15wiNG (SFOS 16.05.5 MR-5)

Would I be able to get some assistance setting the tunnel up?

Thanks!

 

Brad.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Thanks!

     

    Still no traffic.

  • 0 in reply to Brad Fuller

    Hey,

    I had the same issue when i upgrade existing cyberoam devices to Sophos-OS. You have to add the ipsec routes manually using the console. 

    https://kb.cyberoam.com/default.asp?id=2311&SID=&Lang=1&hglt=route+ipsec

    on that link scroll all the way down and it shows how to add the routes using the console. But instead of cyberoam type system. 

    Also there are a few topics on this forums that show how to do it. If you search adding ipsec routes you might find more info. 

     

  • +2 in reply to Brad Fuller

    We shared a connection and I had a look at Brad configuration. Here the steps:

    1. Check the routing table using command route -n from advanced shell
    2. If the remote network is not there you have to proceed with step 3 (192.168.105.0   0.0.0.0         255.255.255.0   U     0      0        0 ipsec0)
    3. go to console and check if the ipsec_route is there: system ipsec_route show
    4. if the point 3 does not contain the remote network, then add the route manually: system ipsec_route add net 192.168.12.0/255.255.255.0 tunnelname "tunnelname configured from GUI"
    5. check if you can ping the remote network from both sides. If ping does not work, you have to force the IP used when the traffic goes out using the command 6.
    6. set advanced-firewall sys-traffic-nat add destination 192.168.12.0 netmask 255.255.255.0 snatip "XG LAN IP of where you are launching the commands"
    7. Repeate the same steps, if necessary, on the other sides by adjusting the IP and SNAT IP
    8. Ping should work now! Make sure ping is enabled on VPN zone from Administration > Device Access

  • 0 in reply to lferrara

    Thank you for your help today!
    Now I can continue upgrading all of our Cyberoams with the new Sophos XG Firewall firmware

Unfiltered HTML