I'm running an XG at my home and have an Ubuntu 20.04 host in a datacenter running strongswan ipsec. We are unable to make a basic IPSEC site-to-site connection. I have a server inside my home also running Ubuntu, and we can make the connection that way using port forwarding and basic firewall rules. We would like to connect my XG to my Ubuntu server instead. I know that the XG is running strongswan too, as that is the defacto IPSEC deployment method for Linux.
I drew a crude document diagram of what we are trying to achieve if it is needed.
Hi Sophos User3835,
Thank you for reaching out to the Community!
As long as you configure matching IPsec policy and connection detail, it’ll work.
Sophos XG uses the following files, located in /log…
Sophos XG uses the following files, located in /log/ directory, to trace the events related to IPSec:
Please refer to KB Sophos XG Firewall: Logfile guide for all the log files available on Sophos XG.
You can check the available/preconfigured policies or create new policies as required. Go to VPN > IPsec Policies.
Check out the following KBA for more info: Sophos XG Firewall: IPsec troubleshooting and most common errors.
For basic configuration on the XG side, check out the following KBA: Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Awesome. Thank-you for the logging information. You aren't going to believe this, but shortly after typing everything out I had that moment of clarity and managed to get it connected. Well, partially connected, as we still cannot ping vm's on the subnets defined in the connection and my virtual machine network can not reach the internet. Should I start a new discussion or can we troubleshoot here?
Hi Sophos User3835,
Did you configure firewall rules on the XG firewall? You would need LAN to VPN and VPN to LAN to allow traffic across the IPsec VPN tunnel.
You could also run a packet capture from the GUI on the destination IP to see if traffic is routed through the correct firewall rule and interface.
For the internet issue, can you share the local and remote network definitions? If you added Any in the remote network, remove it and define the remote side's local network.
Thank-you for responding. I'm not doing these rules correctly or something else is wrong. Per the drawing I posted originally, here is the breakdown of my networks:
I have created network objects that define these under Hosts and Services. My current rules are basic LAN to VPN and VPN to LAN using zones. I have tried using Any for the remote network and the defined objects for the networks, but neither are working correctly.
So far only my XG LAN can ping out to the Ubuntu VMNet.