Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 1614 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site tunnel up but no traffic between specific Peers

SimbasPride

Hi,  

I have an HA SG450 UTM 9 Pair running firmware version 9.705-3 in Active-Passive, on these there is an IPSec Site to Site setup with 1 local network (SNAT) and 10 remote networks which is working great.

I want to add another local network behind an SNAT and 1 more remote networks,  when I add these in everything appears to connect however I cannot reach the new remote network at all.
Original Setup:
The Original SNAT setup is: 10.150.5.0/24 > 10.24.53.15 (1 of 10 remote IPs), Translate to 10.66.35.201

The IPSec Connection was:
10.66.35.201

Remote Gateway Networks:
10.24.53.15

My new settings:
SNAT which is setup as so: 10.150.5.0/24  > 10.66.104.2 (New remote network), Translate to 172.10.0.10 and made sure to check use in IPSec traffic.

My new Network in my IPSec connections is:
10.66.35.201
172.10.0.10

and my new remote network in my remote gateway is:
10.24.53.15
10.66.104.2

I don't see any Firewall Drops for this traffic and I do see it hitting my NAT rule and the automatically created Firewall rule, but the other end of this isn't something I control but they are saying they never see the traffic hit their end, the original one still works fine.
I've ran some ESPDUMPS but awaiting the PSK to actually decrypt to see the traffic, but it appears to be sending out to the correct remote IP.

I am assuming that 2 different SNAT'd addresses as my local networks isn't going to cause my issues as the NAT'd addresses or remote addresses don't overlap anywhere.
Additionally if this were causing an issue could i use an additional IP on my side to create a secondary tunnel instead to the same remote IP, I'm guessing using a respond only connection with the remote side using my additional IP?

Many thanks,
Martin.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Community! 

    The espdump would give you a hint on what is happening with the traffic from the new subnet. 

    While you're waiting to decrypt the espdump, you could run a simple espdump on the UTM to verify if you see traffic being forwarded to the peer firewall.

    Reference Community thread: IPSec tunnel from UTM to USG only working one way

    Thanks,

  • 0 in reply to FormerMember

    Hi Harsh,

    I have managed to decrypt it and I can see my ICMP traffic but I get no response, however the other side still says they're not seeing any traffic reach their end.



    This suggests to me that I'm sending out the traffic correctly down the tunnel and it's being correctly NAT'd.  Obviously without them being able to see it hitting their end they're claiming ignorance and it's on me to prove there's nothing more I can do.

    Thanks.

  • FormerMember
    0 FormerMember in reply to SimbasPride

    Hi

    Thanks for the update. 

    I would suspect ISP is causing this issue if it was a new setup, but in your case, it's working for other networks in the same connection/tunnel. 

    Thanks,

  • 0

    Hi Martin and welcome to the UTM Community!

    We already know the request goes out and that we see no response, so we don't need to do #1 in Rulz (last updated 2021-02-16). and that it must be a routing problem...

    Are we sure that the other VPN endpoint was also correctly updated with the additional subnets?  If confirming that doesn't resolve this, let's look at pictures of the relevant configurations.  Please show pictures of the Edits of the IPsec Connection, the Remote Gateway, the NAT rules and the firewall rule(s) if 'Automatic firewall rules' is not selected.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for replying.  I have learnt more about Sophos UTMs and the various elements from reading your posts so it's a pleasure to "meet" you.

    It turns out that it was working all along and that the other side were not performing sufficient captures, once they had properly performed this we were able to see the traffic and determine that they had a misconfigured firewall rule.

    Many thanks reaching out.

Unfiltered HTML