Can't connect to IPSEC VPN from my laptop through XG (v18 EAP3) firewall

Screenshot showing that the traffic is not passing on UDP 500 but not being dropped, also successful connection on TCP 443.

Could you perform a conntrack?

conntrack -E | grep 68..... | grep NEW

Start this command (without "time") and try to connect.

It looks like, you NAT Table is doing something with those packets.

So if the firewall is picking up this traffic, you should see in the conntrack the NAT Policy and the firewall policy matching and what is going on.

Not NAT'ing, it's almost like the local charon process is getting it but I don't see anything in that log at all. I do have site to site IPSEC and SSL tunnels but that shouldn't impact this.

I left each of the below commands for 1 minute. There were about 8 connection attempts within each duration.

This might be too much info, but my firewall rule is the top rule for bypassing all filtering:

Details:

NAT:

It really does seem like the packet goes in PortA but then pretty much disappears. It's really odd. 

Try conntrack -L | grep 500    or grep 62.... 

Something establish there? 

Because you already tried a drppkt, and if there is no Drops, then most likely there is a connection but we need to know, where the connection is. 

Again, no loving from that command. I've been working on this for over a week now and I have quite a lot of experience with the XG platform. I've been working with it for about 3 years now and so far this is the most confused I've ever been. 

I did have to modify the "grep" filter. If I filter for just the IP or just 500 I get way too much. Grep -E "dport\=500" also works well for this too. That will trigger on orig-dport=500 and reply-dport=500.

This morning I may call support to see if they can help me at all. First I have to wait until 9am when support cuts over to North America.

I just deployed a Sophos UTM on my network using a unique public IP and unique LAN IP, set up only my work laptop to use that as the default gateway and the VPN connects immediately through that.

This is not a fix for me and I still feel that there is a bug of some sort in the Sophos XG v18 EAP3 device. I just cannot be without my company VPN connection for more than a couple weeks at a time.

Do you have IPsec Remote access enabled on this XG? Tested this on two different appliances, all could access IPsec through XG. 

It is somehow not understandable to me, where those packets went in your scenario.

Maybe Rana Sharma or Apurv Patel could take a look at your setup? 

I do have IPSEC enabled on the device, yes. I use a site to site tunnel (parents house, Cisco ASA 5505) and I also use the Sophos Connect client now.

I tried it on my XG running EAP3 refresh 1, and I am seeing pkts getting forwarded.

08:28:40.813704 Port1, IN: IP 172.16.17.21.53630 > 10.8.9.28.500: isakmp: phase 1 I agg
08:28:40.813789 LW_Br, IN: IP 172.16.17.21.53630 > 10.8.9.28.500: isakmp: phase 1 I agg
08:28:40.814219 Port2_ppp, OUT: IP 10.254.238.194.53630 > 10.8.9.28.500: isakmp: phase 1 ? agg

08:28:41.307615 Port1, IN: IP 172.16.17.21.53630 > 10.8.9.28.500: isakmp: phase 1 I agg
08:28:41.307637 LW_Br, IN: IP 172.16.17.21.53630 > 10.8.9.28.500: isakmp: phase 1 I agg
08:28:41.308130 Port2_ppp, OUT: IP 10.254.238.194.53630 > 10.8.9.28.500: isakmp: phase 1 ? agg

proto=udp proto-no=17 timeout=9 orig-src=172.16.17.21 orig-dst=10.8.9.28 orig-sport=53630 orig-dport=500 packets=3 bytes=168 [UNREPLIED] reply-src=10.8.9.28 reply-dst=10.254.238.194 reply-sport=500 reply-dport=53630 packets=0 bytes=0 mark=0x8001 use=1 id=1637124608 masterid=0 devin=Port1 devout=Port2_ppp nseid=0 ips=1 sslvpnid=0 webfltid=1 appfltid=1 icapid=0 policytype=1 fwid=2 natid=2 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=33 hb_src=0 hb_dst=0 flags0=0x800a0802200008 flags1=0x10020800000 flagvalues=3,21,25,35,41,43,55,87,93,104 catid=0 user=6 luserid=3 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=7c:5a:1c:84:8c:b6 src_mac=38:f9:d3:83:c5:9c startstamp=1579575520 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=33 tlsruleid=0 ips_nfqueue=2 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=31 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=30 sessionid=162 sessionidrev=25625 session_update_rev=0 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED

I am using Sophos Connect as Client.

In case this doesn't fix issue for you we may have to get it investigated. 

Regards,

Alok

Tried same with Cisco AnyConnect client and still I am seeing pkts getting forwarded as expected.

23:11:08.005747 wlnet1, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:08.005801 LW_Br, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:08.006185 Port2_ppp, OUT: IP 10.254.238.194.500 > 10.8.9.28.500: isakmp: phase 1 ? agg

23:11:11.208774 wlnet1, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:11.208782 LW_Br, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:11.208901 Port2_ppp, OUT: IP 10.254.238.194.500 > 10.8.9.28.500: isakmp: phase 1 ? agg

-Alok

Tried same with Cisco AnyConnect client and still I am seeing pkts getting forwarded as expected.

23:11:08.005747 wlnet1, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:08.005801 LW_Br, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:08.006185 Port2_ppp, OUT: IP 10.254.238.194.500 > 10.8.9.28.500: isakmp: phase 1 ? agg

23:11:11.208774 wlnet1, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:11.208782 LW_Br, IN: IP 172.16.17.21.500 > 10.8.9.28.500: isakmp: phase 1 I agg

23:11:11.208901 Port2_ppp, OUT: IP 10.254.238.194.500 > 10.8.9.28.500: isakmp: phase 1 ? agg

-Alok