Sophos UTM - IPv4/IPv6 Issue - IPSec

Hi guys,

I have searched myself silly and dont get anywhere, so I come before you.

 

A little preface:

We are a small group of companies (headquarter/main company and 2 daughtercompanies/branches). There are 2 IPSec Site-2-Site tunnels established between the two branches and the headquarter (we, the HQ, are on respond since the branches dont have static IP's yet) - they work on a RDS/Terminalserver in our infrastructure.

We have just the worst WAN connection (Vodafone cable) - atrocious. Its on and off again - major disruptions etc. We are so remote that we dont have any alternatives like fiber (the DSL connection is solely for our VPN connection to the hosted cloud VoIP PBX of Deutsche Telekom), so we are stuck with Vodafone. It wasnt always as bad as now, but I have to provide redundancies now since 3 companies are affected.

I asked our mobile provider for a data plan and they can offer me a LTE data plan with a static, public IPv6 address. According to the sales rep I spoke to, it will allow incoming connections as well, but I need to verify with one of their technicians directly - lets assume it is.


I planned something like this:

 

I really dont want to establish a full blown IPv6 network in parallel to the IPv4. I saw here and there some blog posts and comments on the net (and Sophos forum) explaining the translation of IPv6 traffic to IPv4 and vice versa. 

How would I realise that on the UTM? With a DNAT rule?

Im eternally grateful for any input.

Thanks!

  • Hey Bob,

    this is strange - I didnt get any notification that you replied, otherwise I would have answered asap. Since this has grown into a full blown obsession, I played around with all the settings on the weekend and...

     

    Now comes the strange part - this only works with the following conditions:

     

    Branch1 -      Initiate
    Branch1 -      PresharedKey
    Branch1 -      VPN ID type / IP Address

    HQ - Respond 
    HQ - PresharedKey
    HQ - VPN ID Type / IP Address

    Any other constellation (RSA key, switched initiate/respond, VPN ID type hostname) will not work.

    While Im SO relieved that the sales rep wasnt lying (:D) and it is working, Im a little confused why it works only with the aforementioned settings. Dont get me wrong - Im glad it does, but I would rather use RSA than PSK.

    Im also observing the subnets taking an usual long time to establish. I suspect the LTE connection (the antenna is inside my office, as mentioned before) - quick ping test from UTM to UTM:

    5 packets transmitted, 2 received, 60% packet loss, time 4022ms

    While the connection itself is established (why only this way needs to be investigated further by me, but that can wait a little), I cant ping through the tunnel. Two questions for you Bob:

    - How can I streamline the performance of the tunnel? Adjusting MTU etc.?
    - Could performance of the tunnel be so bad that I dont get anywhere with Ping tests through the tunnel (If I do tracert from both sides, there is only timeout after the first gateway.)? Im still afraid I have to deploy some kind of routing here, since Branch1 is a dualstack DSL etc. - I have no idea.

    Thanks and best regards,

    Constantin

  • Almost there, Constantin...

    Do you have 'Support path MTU discovery' selected in the 'Advanced' section of the Remote Gateways?  Are pings then faster?

    I'm glad you found a combination to make it work.  Is either UTM behind a NATting router?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Constantin,

    just curious: why do you use LTE on both ends?

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hey Bob.

    No, before I started to the deploy the tunnels etc. I went to Branch1 and put their Zyxel 5501 into Bridgemode, letting the UTM PPPoE connect. On our side is the Mikrotik LHG LTE6 antenna also in bridgemode, which gives eth7 ("LTE_Backup" interface) the IPv6 address through DHCP.

    The MTU discovery feature was not activated on both ends - I will test today and post my results.

     

    @Philipp

    Hi. The LTE connection is only on our side as a backup, if and when that damn Vodafone cable connection fails again. On the branch side we have a regular DSL (dualstack) connection.

     

    Best regards,

    Constantin

  • Hey Bob,

    I activated the Path MTU Discovery on the Remote Gateways in both UTMs. It did not help at all. When the IPv6 tunnel is up, no pings are going through - I just get timeouts. I thought it might be something with the packetfilter, but the automatic firewall rules are activated on both sides. I did create the IPv6 tunnel the same way than its IPv4 counterpart and the working RDP connection is proof that there is nothing in the way.

    How could I zero in on this problem? Do we have to tcpdump on eth7? Im not sure what else I could check. 

    Thanks and best regards,

    Constantin

  • Hint: maybe it would be much more simple/reliable when not using LTE on BOTH ends?

    What was the reason for doing it like this?

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hi Philipp,

    did you not read my earlier reply? Only on our end (headquarters) is the LTE antenna. In Branch1 one is, as I said before, a regular DSL connection.

     

    Best regards,

    Constantin

  • OK - I see!

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Did you check the firewall log, Constantin, to see if pings are blocked there?  If they are, see #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    I observed on both sides the Live Log of the firewall and there are no drops of any kind when I try to ping (I also turned off IPS and ATP), only timout:

     

     

    Not sure what else we could do. Can we listen "inside" the tunnel with tcpdump? So we know that the ping at least went into the tunnel?

    Thanks and best regards,

    Constantin