Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN Site to Site is Active, Services set to ANY but both end computer is not PINGING with each other (SG - XG)

Proudmore

Hi Sophos Community

Good Day

This is the scenario

SG is the branch office and XG is the HQ

The tunnel between SG and XG is active but you cannot ping any of the end computer on both sides. Both parties Firewall rule SERVICES are set to ANY

ON SG FWALL please refer to screenshot

 

 

UNDER XG FWALL please refer to this

 



This thread was automatically locked due to age.
  • 0

    It looks to me as if you're not specifying the networks correctly in your IPSEC settings.  Your Local Subnet and Remote subnet on the XG side only specify one computer on each side - probably your endpoints.  If the SG is the same, then no traffic will flow as no networks have been defined.

     

    When setting up IPSEC site to site, your Remote Gateway defines the endpoints at each end of the IPSEC connection, but it also defines the networks allowed access through it.  I suggest you check this article...

     

    https://community.sophos.com/kb/en-us/127030

     

    • 0 in reply to Shaun Raven

      Hi Sir Shaun,

      Good Day

      Correct me if I'm wrong

      - Do you mean on the "REMOTE NETWORKS" Both SG and XG will be the the NETWORK not the HOSTS?
            * In my scenario the Remote Network are the HOSTS on both end of XG and SG.

      - Summary of WRONG CONFIGURATIONS???
            * Remote Network SG and XG will be Network NOT the HOSTS on both end.

      Gracias Senior

      • 0 in reply to Proudmore

        Hi Kunkka,

        When you setup an IPSEC site to site VPN you need to define two things.  The first are the two ends of the site to site connection - these are usually the external IP's of the UTMs or Routers that will establish the connection.  The second are the networks at each site that need to transfer traffic across the site to site VPN tunnel you will create.

        For example....

        Site A has a UTM with an external IP of x.x.x.x, and a network of 192.168.1.0/24.

        Site B has a UTM with an external IP of y.y.y.y, and a network of 10.10.10.0/24.

        In your gateway settings on Site A, you setup a gateway connection with a gateway of x.x.x.x, and a remote network of 192.168.1.0/24

        In your gateway settings on Site B, you setup a gateway connection with a gateway of y.y.y.y, and a remote network of 10.10.10.0/24.

         

        Once established, you'll need to make sure you have firewall access rules on both sides allowing site A's network to talk to Site B's Network

        Hope that makes it a bit clearer.

        • 0 in reply to Shaun Raven

          Hi Sir Shaun,

          Good Day

          This SG - XG Scenario is just a laboratory to test the IPSec VPN.

          This is the Actual Scenario. Sophos SG < > Other Firewall - not sure want brand they use

          In SG - which is in the branch Area
          Other Firewall - which is the HQ

          Meanwhile In the HQ side:
                            - They ALWAYS INSIST that the Remote Area will be the HOST IP NOT the NETWORK that's why we mirror the config from the HQ side
                            - They use this setup for all of the IPSec VPN (S2S) connections
                            - FTP connection was successful before but now NO connection between HQ and Branch Office that's  why we try to establish SG to XG just to try the IPSec VPN connection

          That the Whole Story Sir.

          Btw Sir, Thank you for elaborating your explanation. I muchly appreciated

          Gracias 

          • 0 in reply to Proudmore

            From what you've told me, I think you need to talk to the tech guys at your head office.  All the IPSEC S2S connections I've done have required remote networks to be entered, so I'm not sure how they intend you to route traffic.  Maybe someone else has encountered this?

             

        • 0

          Kunkka, You're close...

          I'm not familiar with XG, so my specific instructions will concern only WebAdmin and the UTM.  Having said that, your configuration looks correct for the XG side of the tunnel.

          If you want the all members of "Internal (Network)" to be able to reach the two IPs behind the XG, DO NOT select 'Strict routing' in the IPsec Connection.   You also will need a NAT rule:

          SNAT : Internal (Network) -> Any -> {Group with two remote hosts} : from {192.168.254.100}

          From your explanation, it doesn't sound like you need/want a similar rule in the XG

          Note that the "Any" Service only includes TCP and UDP.  It does NOT include any other IP Protocols.  I don't know if the same is true in the XG.

          Pinging is regulated on the 'ICMP' tab of 'Firewall'.  If you still see a ping blocked in the firewall log, you will need to make an Allow rule using the "Ping" service object.

          Cheers - Bob

           
          Sophos UTM Community Moderator
          Sophos Certified Architect - UTM
          Sophos Certified Engineer - XG
          Gold Solution Partner since 2005
          MediaSoft, Inc. USA
          • 0 in reply to BAlfson

            Hi Sir BAlfson,

            Good day

            Can you help me determine what are the network objects to put in SNAT Rule under UTM 9.

            Matching Condition

            For traffic from:  192.168.254.100
            Using Service:any
            Going to: 10.10.11.71 and 192.168.100.2

            Action:

            Change the source to: 173.225.x.x
            And the service to: any

             

            Summary config

            XG Firewall

            Public IP: 119.93.x.x

            Local Hosts: 10.10.11.71 and 192.168.100.2

            SG Fwall

            Pub IP: 173.225.x.x
            Local Host: 192.168.254.100

            Thank you Sir

            • 0 in reply to Proudmore

              Everything looks correct except:

              Change the source to: 192.168.254.100

              (not 173.225.x.x)

              Cheers - Bob

               
              Sophos UTM Community Moderator
              Sophos Certified Architect - UTM
              Sophos Certified Engineer - XG
              Gold Solution Partner since 2005
              MediaSoft, Inc. USA
              • 0 in reply to BAlfson

                Hi Sir BAlfson,

                Good Day


                For traffic from:  192.168.254.100

                is the same AS

                and change the source to: 192.168.254.100

                 

                 

                PS
                Please accept by deepest thanks for accommodating my questions