This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site to site tunneling not able to see computers on remote side

I have successfully followed the instructions in the following link - https://community.sophos.com/kb/en-us/127030.

I have an indicator in the Site-to-site VPN page where Test IPsec Tunnel B indicates "1 of 1 IPsec SAs established" on the initiator and Test IPsec A with the same message showing.

Unfortunately, I cannot ping or remote desktop to any of my computers on the remote network. When I use the Sophos SSL VPN client, I am able to remote desktop to the desired systems.

The status of the end points show the following:

 

Test IPSec A: 192.168.xx1.0/24=EXTERNAL_IP_1 <-> EXTERNAL_IP_2=192.168.xx2.0/24

VPN ID: EXTERNAL_IP_1

Test IPsec Tunnel B: 192.168.xx2.0/24=EXTERNAL_IP2 <-> EXTERNAL_IP_1= 192.168.xx1.0/24

VPN ID: EXTERNAL_IP_2

 

Any suggestions will be appreciated.



This thread was automatically locked due to age.
  • 2018:10:15-23:49:01 sikanni pluto[14914]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Test IPSec A" address="184.xxx.xxx.xx2" local_net="192.168.xxx.0/24" remote_net="204.xxx.xxx.0/24

     

    2018:10:15-23:49:01 bsloffice pluto[7613]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Test IPsec Tunnel B" address="24.xxx.xxx.xx1" local_net="204.xxx.xxx.0/24" remote_net="192.168.xxx.0/24"

     

    The 2 external addresses (184.xxx.xxx.xx2 and 24.xxx.xxx.xx1) are correct as well as both the declared internal networks.

  • Not sure what I should be looking for in the firewall logs.

    Sorry a bit of a amateur with the debugging. What should I be looking for? When I attempt RDP to my remote server, no entries appear for the IP that I am trying to query.

  • BTW thanks for the follow up replies

  • Hi NeutralSt8,

    the IPSec log is not needed.
    The packetfilter log ist what i meant.

    Best Regards
    DKKDG

  • So I finally got a log entry with the desired IP of the system I am trying to RDP to:

    2018:10:16-10:52:41 sikanni pluto[18794]: "S_Test IPSec A"[4] 24.xxx.xxx.xx1 #23: cannot respond to IPsec SA request because no connection is known for 192.68.38.250/32===184.xxx.xxx.xx2[184.xxx.xxx.xx2]...24.xxx.xxx.xx1[24.xxx.xxx.xx1]===204.xxx.xxx.0/24
    2018:10:16-10:52:41 sikanni pluto[18794]: "S_Test IPSec A"[4] 24.xxx.xxx.xx1 #23: sending encrypted notification INVALID_ID_INFORMATION to 24.xxx.xxx.xx1:500

    to get to this stage, I created a direct definition for the host in the IPSec site-to-site settings. At least I am seeing that UTM is looking for the system.

  • So I created another set of connection definitions and my tunnel appears to be working. However, I am still unable to RDP to the system. I can ping my destination from my local UTM using the Tools - Ping Check.

    Where do I go to define the access to the remote computers? Assume my local subnet is 192.168.200.xxx and I am trying to access the remote computers on 192.168.100.xxx?

    I would have thought the definitions described in the Remote Gateway(s) would take care of it .. no?

  • You might try working through #1 in Rulz.

    Please show pictures of the Edits of the Remote Gateway and IPsec Connection from both sides.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yeah, that all looks perfect.  If you did #1 in Rulz, then that just leaves a routing issue.  When you try to RDP to the server, are you using a numeric IP or a name?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am using an IP address.

    What I had been attempting to do was to switch over from the SSL VPN client connection to the IPSec site to site. When I turn off the IPSec, I am still able to connect with the SSL client and RDP to the server. When I switch back to the IPSec connection, I am no longer able to get to RDP to the same system.

    Are there routing settings that will interfere with one connection and not the other?

    I would have assumed that once the connection(s) is made, the routing would be the same.

    I do have some web servers on the Services side (respondent) of the connection that are using the Webserver Protection functions

    Pretty generic stuff.