Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSec V2 Verbindung mit 1:2 Subnetzen

Moin,

Ich will zwei Standorte verbinden. Auf der einen Seite ist ein Subnetz die sich über eine PFSense auf die andere Seite über eine Sophos XG mit zwei Subnetzen verbinden soll. Phase 1 ist kein Problem, aber es wird nur ein Subnetz verbunden.
Wenn ich auf der Sophos anstatt der beiden IP Host Objekte "ANY" eintrage, funktioniert es. Aber das kann nicht das ergebnis sein.
Wer kann mir helfen?


VG
Karsten



Added TAGs
[edited by: Erick Jan at 1:34 PM (GMT -7) on 24 Sep 2024]
Parents
  • Hi Karsten,

    Thank you for reaching out to Sophos Community.

    I recommend comparing both packets(routes/policy) from the working and non-working hosts. Also, check the PFsense allowed configuration.

    Kindly try to do a packet capture and check the log viewer.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • i´m not firm with packet captures for ipsec connections, but i copied a part of the IPSec Log.


    IPSec_xx-1:  xxx.xxx.xxx.xxx...xxx.xxx.xxx.xxx  IKEv2, dpddelay=30s        
    IPSec_xx-1:   local:  [xxx.xxx.xxx.xxx] uses pre-shared key authentication 
    IPSec_xx-1:   remote: [xxx.xxx.xxx.xxx] uses pre-shared key authentication
    IPSec_xx-1:   child:  192.168.1.0/24 === 192.168.28.0/24 TUNNEL, dpdaction
    IPSec_xx-2:   child:  192.168.10.0/24 === 192.168.28.0/24 TUNNEL, dpdactio
    n=clear                                                                         
    Security Associations (4 up, 0 connecting):      

    IPSec_xx-1[550787]: ESTABLISHED 23 minutes ago, xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
    IPSec_xx-1[550787]: IKEv2 SPIs: xxxxxxxxxxxxx1dcc_ixxxxxxxxxxxxxxxxx, re
    keying in 7 hours
    IPSec_xx-1[550787]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_S
    HA2_256/MODP_2048
    IPSec_xx-2{17297}: INSTALLED, TUNNEL, reqid 524, ESP SPIs: xxxxxxxxxxxxxxxx
    IPSec_xx-2{17297}: AES_CBC_256/HMAC_SHA2_256_128, 175819 bytes_i, 26430 b
    ytes_o (297 pkts, 22s ago), rekeying in 7 hours
    IPSec_xx-2{17297}: 192.168.10.0/24 === 192.168.28.0/24
Reply
  • i´m not firm with packet captures for ipsec connections, but i copied a part of the IPSec Log.


    IPSec_xx-1:  xxx.xxx.xxx.xxx...xxx.xxx.xxx.xxx  IKEv2, dpddelay=30s        
    IPSec_xx-1:   local:  [xxx.xxx.xxx.xxx] uses pre-shared key authentication 
    IPSec_xx-1:   remote: [xxx.xxx.xxx.xxx] uses pre-shared key authentication
    IPSec_xx-1:   child:  192.168.1.0/24 === 192.168.28.0/24 TUNNEL, dpdaction
    IPSec_xx-2:   child:  192.168.10.0/24 === 192.168.28.0/24 TUNNEL, dpdactio
    n=clear                                                                         
    Security Associations (4 up, 0 connecting):      

    IPSec_xx-1[550787]: ESTABLISHED 23 minutes ago, xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
    IPSec_xx-1[550787]: IKEv2 SPIs: xxxxxxxxxxxxx1dcc_ixxxxxxxxxxxxxxxxx, re
    keying in 7 hours
    IPSec_xx-1[550787]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_S
    HA2_256/MODP_2048
    IPSec_xx-2{17297}: INSTALLED, TUNNEL, reqid 524, ESP SPIs: xxxxxxxxxxxxxxxx
    IPSec_xx-2{17297}: AES_CBC_256/HMAC_SHA2_256_128, 175819 bytes_i, 26430 b
    ytes_o (297 pkts, 22s ago), rekeying in 7 hours
    IPSec_xx-2{17297}: 192.168.10.0/24 === 192.168.28.0/24
Children