This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec tunnel from UTM to USG only working one way

Hello guys, following my last post, managed to get a tunnel working between the Sophos UTM and a Ubiquiti USG, however, it seems traffic is only flowing one way.

From the USG, I can access the network of the UTM, over IP addresses, and FQDN's.

From the UTM, I can't seem to access anything on the USG's network. Doing a tracert goes to to the UTM and times out afterwards.

I assumed it was a firewall rule, I created a rule saying "My laptops local IP (on the UTM's network) > Any > USG's LAN network", with no success. Tried it going to the USG's external IP as well, no luck again.

I assume it's got to be some sort of routing issue, but I can't figure out what type of rule I need to create for it. I don't want all of the traffic to go over the tunnel, only things that are relevant, if that makes sense. In this environment, the UTM is head office, and the USG is our "remote site", I am just testing at the moment. 

Any ideas will be much appreciated.

Thanks



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community! 

    Would it be possible for you to share the screenshot of the IPsec connection? Did you add the internal network in Local Networks? Did you configure Automatic firewall rules? Is there any static route configured for the local network? 

    Thanks,

  • Hi Harsh,

    Yes, I did add the internal network in the Local networks, I did check the box for "Automatic Firewall Rules". I haven't made any static routes, not too sure how to configure it so not all the traffic goes through the USG.

    Screenshots from the UTM:

    Screenshots from the USG:

    The tunnel is up, and local network traffic flows from the USG to the UTM, as in I can ping and access stuff on the UTM's network.

    But not the other way round. UTM to USG doesn't seem accessible.

    Thanks

  • FormerMember
    0 FormerMember in reply to Davroc Ltd

    Hi ,

    Thank you for the update. 

    I would suggest you run espdump on UTM while trying to access the network at USG and check if there’s any response from USG or not. 

    SSH into UTM by following this KBA and switch to the root user: Access the UTM shell 

    Follow these commands: 

    1. cc
    2. ipsec
    3. connections@
    4. This should print out a list of the existing IPSec connections and their references like this;
      0 'REF_IpsRoaTest' [Test]

    Note: Type "Exit" once you have the connection reference id.

    To actually espdump the connection, run the following command:

    • espdump --conn REF_IpsRoaTest -n and use the REF according to the appropriate tunnel.

    Thanks,

  • Hello,

    I went through this with another member of the community, and it looks like it is sending traffic through both ways.

    But it doesn't seem like I can access anything on the network of the USG.

    The CMD window is my laptop on the UTM network, getting timed out messages.

    The first putty window is the UTM, and the 2nd putty window is my PC on the USG network.

  • FormerMember
    0 FormerMember in reply to Davroc Ltd

    Hi ,

    Thank you for the screenshots. 

    It seems the UTM is forwarding the ICMP echo request through the IPsec tunnel, but there's no reply from the host 192.168.76.6. 

    I would suggest you check out if there's any Anti-Virus blocking ICMP on 192.168.76.6 or a routing issue at USG internal network. 

    Thanks,

  • Hi

    In terms of routing, when I spoke to Ubiquiti support about this, what I got from them was basically "No routing needs to be done for a Tunnel"

    Not the most useful info unfortunately...

    I don't think that on the 192.168.76.6 machine there's anything blocking ICMP locally, since on that network itself, it responds to pings.

    It's just a really odd one, it' not just pings, I cant access file shares or anything either, one way only.

Reply
  • Hi

    In terms of routing, when I spoke to Ubiquiti support about this, what I got from them was basically "No routing needs to be done for a Tunnel"

    Not the most useful info unfortunately...

    I don't think that on the 192.168.76.6 machine there's anything blocking ICMP locally, since on that network itself, it responds to pings.

    It's just a really odd one, it' not just pings, I cant access file shares or anything either, one way only.

Children
No Data