This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius over IPSec Site-to-Site


I've been bashing my head against this issue for a few days and finally need to ask for some help. I have a network created in AWS which uses a Sophos UTM for all connections into the VPC. I'm not using the AWS VPN Tunnel for VPC.

The Sophos is connected to our SonicWall in the HQ using a Site-To-Site IPSec tunnel and all connections are up on both sides. Traffic is flowing no problem. The issue occurs when i try to send RADUIS authentication traffic from the HQ to the VPC in AWS through Sophos. I cannot see any traffic on the sophos side.


I created a SNAT rule on the sophos. The Firewall Logs show the traffic hit the Firewall. But still no traffic hitting the Server through Sophos.


Note: If i connect the AWS tunnel to my firewall in the HQ the radius traffic works... its only when going through the Sophos.

This thread was automatically locked due to age.
  • Are you certain that that doesn't overlap with "Internal (Network)," Mike?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No they dont. The network internal is 10.0.x.x and the VPC is 10.100.x.x. As mentioned earlier, traffic is flowing between both networks and connectivity is good. The only thing that stopped working when i introduced the Sophos was the radius authentication traffic. this is where im stumped at the moment.

  • It has to be a routing problem, Mike, so I think you're stuck with using tcpdump and espdump.

    To use espdump, you first need to know the REF of the IPsec Connection object.  Say the name assigned to it was "Home Office."  Run the following as root at the command line

    cc get_object_by_name 'ipsec_connection' 'site_to_site' 'Home Office'|grep 'ref'

    If that returns REF_IpsSitHomeOffice, watch traffic in the tunnel with:

    espdump -n --conn REF_IpsSitHomeOffice -vv

    Any luck?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA