This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help! IPSec Site-to-Site is doing my head in!

I've been going through every snippet about this subject I can find, but no answer as of yet. It's doing my head in, and my customer is starting to complain. :-(

Situation:

I need to setup a site-to-site VPN between our datacenter (which is protected by the UTM) and a site of a client, which uses a Draytek Vigor 2960 router/firewall.

UTM: 172.17.0.0/20
Draytek: 172.16.1.0/24

IPSec VPN is setup, connects without problems, all very well sofar. But not a single byte of traffic goes through. On the Draytek I can see traffic entering the tunnel, but 0 packets come back. On the UTM, I don't have a virtual interface I can check, but tcpdump sees no packets coming in.

Since the tunnel itself is ok, and I don't see any issues at the Draytek end (firewall is open, routes are created fine, traffic enters the tunnel), I started to focus on the UTM. I tried automatic and manual firewall rules, with no result. After some further digging, I see that strongswan has created this route on the UTM:

172.16.1.0/24 dev eth0  proto ipsec  scope link  src 172.17.1.2

Where does it get this src address from, and why is that there? It's is the interface address of the UTM's eth2, which is an isolated internal interface containing the DC's admin workstations.

Any tips, anything I can debug?

TIA,
Harro



This thread was automatically locked due to age.
Parents
  • "On the Draytek I can see traffic entering the tunnel, but 0 packets come back." - This indicates a routing problem on their side.

    "On the UTM, I don't have a virtual interface I can check" - Try the following to watch inside the tunnel of an IPsec Connection named "My Customer":

    • # cc get_object_by_name 'ipsec_connection' 'site_to_site' 'My Customer'|grep 'ref'
      • That should tell you that the REF_ is something like REF_IpsSitMyCustomer
    • # espdump -n --conn REF_IpsSitMyCustomer -vv

    That scope link looks normal to me, so I don't think you're the problem.

    Cheers - Bob
    PS After I posted this, I saw that you'd already solved the problem yourself - bravo!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • "On the Draytek I can see traffic entering the tunnel, but 0 packets come back." - This indicates a routing problem on their side.

    "On the UTM, I don't have a virtual interface I can check" - Try the following to watch inside the tunnel of an IPsec Connection named "My Customer":

    • # cc get_object_by_name 'ipsec_connection' 'site_to_site' 'My Customer'|grep 'ref'
      • That should tell you that the REF_ is something like REF_IpsSitMyCustomer
    • # espdump -n --conn REF_IpsSitMyCustomer -vv

    That scope link looks normal to me, so I don't think you're the problem.

    Cheers - Bob
    PS After I posted this, I saw that you'd already solved the problem yourself - bravo!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children