This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Connection through an Site2Site tunnel with IPSec

Good Morning,

i set up an IPSec Tunnel between two SG230 a year ago.
Since 4 days now, the tunnel is still established, there is no traffic going through the tunnel. Everything looks good so far until i try to geht access to the other network.
In the log of the firewall, i see the allowed packages (From the sIte where i start the request).
I already set up a new one with automatic firewall rules on both sites, but got still the same problem.

Both Device has the Firmware: .9707-5



This thread was automatically locked due to age.
  • Are there changes within routing ?
    Try a traceroute from both locations to the far site.
    Results?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk,

    thanks for your reply. Nothing has changed.
    If i have a look at the cli. I'm able to see outgoing traffic with the right source and destination, on both sides. But there is no incomming traffic.
    Traceroute stops at the local Gateway of the Firewall...

  • "Traceroute stops at the local Gateway of the Firewall..."

    Within Traceroute can you see the def.GW of the UTM? If the traffic goes though the tunnel, you should not see the UTM-def. GW

    (or do you see the UTM itself ... the def. GW of this LAN segment)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hallo Nico,

    Do you see anything blocked in the firewall log?  Anything different in the IPsec log compared to a week prior?

    If the name of the IPsec Connection at your site is "Munich"

         cc get_object_by_name ipsec_connection site_to_site 'Munich'|grep \'ref

    That should give something like REF_IpsSitMunich.  Watch the traffic in the tunnel with:

        espdump -n --conn REF_IpsSitMunich -vv

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Balfson Slight smile

    Nop everything is fine. This is so damn strange right now. 

    I did it and in the cli, i see outgoing the packages. On Both Sides. But no incomming package. 

  • Hallo Nico,

    nochmal meine Frage auf Deutsch (ich hatte komplett übersehen, dass wir im deutschen Forum sind).

    Wenn du traceroute "durch den Tunnel" imitierst, siehst du dann auch noch die IP, welche die UTM als default Gateway nutzt?

    Das würde bedeuten, dass die Traffic nicht in den Tunnel geht, sondern daran vorbei.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • HI Dirk,

    Meine Antwort wurde nicht gesendet. Diese sehe ich nicht.
    Mit dem Befehl den Balfson habe festgestellt das die Pakete in den Tunnel gehen.

  • Strange...

    And you watched with espdump instead of tcpdump?  Did you try disable/enable of the IPsec Connection on both sides?  Did you try rebooting both UTMs?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • yeah sure :) watched the espdumps on both sides. I already delete the whole configuration and recreate it. I made failover on both sides (n active - passiv)

  • Hi,

    gibt es irgendwelche Geräte mit Paketfilter oder anderen Sicherheitsfunktionen zwischen den Firewalls?

    Ich denke hier an providerrouter / FritzBox usw.

    Sind öffentliche IP's direkt an die SG gebunden, oder gibt es ein port-Forwarding?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.