So I have configured a Sophos XG site-to-site vpn according to this document:
https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/VPNCreateRouteBasedVPN.html
But I am stuck with the following problem:
SiteA: Branchoffice, LAN 192.168.198.0/24
SiteB: Headoffice, LAN 172.30.0.0/24
If I ping from Site-A to Site-B, tcpdump on Sophos-A shows this while ping goes through:
18:53:04.059527 Port1, IN: IP 192.168.198.244 > 172.30.0.3: ICMP echo request, id 46946, seq 0, length 64
18:53:04.059737 xfrm1, OUT: IP 192.168.198.244 > 172.30.0.3: ICMP echo request, id 46946, seq 0, length 64
18:53:04.069119 xfrm1, IN: IP 172.30.0.3 > 192.168.198.244: ICMP echo reply, id 46946, seq 0, length 64
18:53:04.069193 Port1, OUT: IP 172.30.0.3 > 192.168.198.244: ICMP echo reply, id 46946, seq 0, length 64
If I ping from Site-B to Site-A, tcpdump records the following on Sophos-B and ping does not go through:
18:53:21.509216 Port4, IN: IP 172.30.0.3 > 192.168.198.244: ICMP echo request, id 2025, seq 1, length 64
18:53:21.509354 xfrm1, OUT: IP >WAN-IP< > 192.168.198.244: ICMP echo request, id 2025, seq 1, length 64
How come that from Site-A to B it goes xfrm1, OUT: IP 192.168.198.244 (as expected) while from Site-B to A it's xfrm1, OUT: IP >WAN-IP<
I just don't get why it uses the WAN-IP from B to A but the other way round it takes the correct path?
Cheerz
Best Answer
Site B is missing the route for 192.168.198.0/24 pointing into the tunnel. Without it, the packet leaks out to WAN.
You need to either set up a static route or configure OSPF between the firewalls (requires 'always-on' VPN).