IPsec VPN packet not routed

Hello,

Good day and thanks for reaching out to Sophos Community.

Could you verify if the firewall rule for the VPN is on top the Lan->Wan rule? Could you also verify if VPN routes priority is higher than default/static routes? 

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Hello,

>>Could you verify if the firewall rule for the VPN is on top the Lan->Wan rule?

The rule are on the top

>>could you also verify if VPN routes priority is higher than default/static routes?

sorry but on my old utm I don't know how I can see the VPN routes

If I execute the "route" command the result is
"10.6.4.21       *               255.255.255.255 UH    0      0        0 eth2"

where 10.6.4.21 is the remote ip and the eth2 is the external interfaces

Hello,

>>Could you verify if the firewall rule for the VPN is on top the Lan->Wan rule?

The rule are on the top

>>could you also verify if VPN routes priority is higher than default/static routes?

sorry but on my old utm I don't know how I can see the VPN routes

If I execute the "route" command the result is
"10.6.4.21       *               255.255.255.255 UH    0      0        0 eth2"

where 10.6.4.21 is the remote ip and the eth2 is the external interfaces

Hello thanks for this. Could you share your VPN configuration screenshot? Also, is this behavior happening to all end machines on the network? or just specific ones?

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

>>Also, is this behavior happening to all end machines....

The vpn is only for one machine on the remote side and only one machine on the local side

Automatic filrewall rules is unchecked but I've configured manualy the rules;

another info; the output of command "ip route show table 220" is empty

Best regards

Hello thanks for these details. does you manual configured rule have a vice-versa rule. E.g. HO network->BO Network and BO Network-> HO Network

Could you try configuring an automatic rule and see if it will work.

Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,

Hello, yes I have configured all necessary rules. I have tried also with automatic rules but the results is the same.

If I do a tracert to the remote host my tracert is stopping to my external interface

mailshield:/home/login # traceroute 10.6.4.21
traceroute to 10.6.4.21 (10.6.4.21), 30 hops max, 40 byte packets using UDP
 1  mailshield.exent.it (91.231.179.61)(H!)  3001.003 ms (H!)  2999.902 ms (H!)  2998.795 ms

where 10.6.4.21 is the remote host and 91.231.179.61 is my External interface

Best regards

Hello malachite ,

Thank you for this. Does the traffic also experience the same issue when it is initiated from the other end? 

Also, could you configure a No Nat configuration on the UTM side: https://docs.sophos.com/nsg/sophos-utm/utm/9.7/help/en-us/Content/utm/utmAdminGuide/NetProtNATNAT.htm?Highlight=no%20nat

NO NAT: Host IPv4 Address of the Machine, Service: Any, Going to: UTM Interface - using IPsec 

Many thanks for your time and patience and thank you for choosing Sophos

Cheers,