Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec: Established, SAs Up, Traffic somewhat strange or missing

    Scheduled Pinned Locked Moved
    IPsec
    1
    3
    706
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dognose
      last edited by

      Hello together,

      in our company main side, we have a Sophos UTM Appliance that is acting as gateway. (No NAT)
      Here at home, i'm doomed to stick to my ISPs default Router, so pfSense is behind that router.

      Until 3 days ago, I used the Home-Version of Sophos XG Firewall, to connect through an IPSec tunnel to the Sophos UTM. Everything was working, multiple subnets have been used.

      Then I had the bad Idea to give it a shot with that new firmware upgrade. New Version is broken, backup can't be used cause after restoring its losing its activation - and in THAT version, there was a bug, that all interfaces go offline, once not activated - so that backup is bricked as well.

      So, searching for an alternative I found pfSense and it looks pretty solid. I installed it, everything wen't quite smooth and started to setup the IPSec tunnel with the Sophos. But now, i'm facing some issues I don't really understand, and hope somebody here has an idea which button to press.

      So, Situation Summary:

      Network at Home:

      • 10.10.20.0/22 (Network for all Clients on the green side of pfSense)
      • 10.10.19.0/24 (Network on the red side, basically only my ISPs Router and the red side of pfSense)

      Network at Work:

      • 192.168.136.0/22, Sophos acting as gateway, owning an external static IP.

      Status:
      I configured the pfSense to have the both IPs 10.10.19.2 (red) and 10.10.20.1 (green). IPSec is configured to use PSK, AES 256, connection is established successully. Both Firewalls show the communication-logs, do key renewals etc.

      For now, I tried to get it working with only 1 SAD (192.168.136.0/22 <=> 10.10.20.0/22)
      That SAD establishes it's connection and pfSense is reporting Outgoing traffic. I can verify from the firewall logs, that connection attemps of various services are "leaving" through the red gate of pfSence (53 / UDP (DNS-Queries, caused by DNS Forwarders), TCP 5070 (VOIP-Phone trying to connect) and many more.)

      But then, the trace of that packages gets lost. The Sophos firewall - which I configured to log every dropped or successfull package - does not show any trace of incoming traffic.

      Trying to reach my subnet from the Sophos-side also reports all packages as "green" and allowed - none of them is reaching pfSence.

      So, I am highly out of ideas, because the "technical" route was working with 2 sophos appliances. (hence the router of the ISP does not block that / forwards and receives correctly i'd say)

      The only assumption I have is that it has to do something with the identifiers of the IPSec tunnel, so the firewalls in some way are thinking "hmm, that package is not for me" - but I think I tried every possible combination, and I'm not sure if it would manage Phase1 at all, if the identifiers are wrong?

      Here are some of the configuration screenshots, If you need any additional Logs or something, just let me know.

      pfSense:

      1f1ca2ab-5ca8-4050-bef1-be15b9b65984-image.png

      Note the "Packets-In": 0
      cce1483a-9649-4d59-955f-d8cd887915ff-image.png

      Some "confirmed" Outgoing packets:
      252d861b-5a9b-4364-a3be-8c16f26f0650-image.png

      Sophos-Side:
      16256212-4054-4315-9029-be3c33a869aa-image.png

      Shows no trace of "incoming" packages from pfSense beside all the Phase1 Communication itself (UDP 500 / 4500)

      So, I have the feeling that packages are send out by pfSence, but somehow missrouted down the road.

      As said, the Sophos side was perfectly fine with the Sophos XG on my side, so I assume everything there (Routing, Firewall rules) are still fine and working.
      (No one but me is changing something there)

      Any Ideas where I could continue searching for issues?

      1 Reply Last reply Reply Quote 0
      • D
        dognose
        last edited by

        I've just read about issues with IPsec and the 2.6 version.

        So, I quickly setup another vm, installed the 2.5.2 release, configured the connection - but it behaves exactly the same way.

        • Connection established
        • SAs are up
        • Traffic outgoing

        but nothing happening. So, it has to be an Issue with the confiuguration.

        ps.:
        Since the red side of pSence is basically a mini network behind the ISPs Router, I disabled the Options "Block private networks and loopback addresses" and "Block bogon networks", since i'm expecting to see IP addresses of the private range on that side.

        Also, Firewall-Wise:

        The LAN-Rule is recording Outgoing traffic for the subnets:

        b6594118-d770-4741-b964-5f87b0a31277-image.png

        where the IPSec rule doesn't record anyting:

        7fc2d5ba-14e9-4d9f-98ec-c21519e8bd94-image.png

        1 Reply Last reply Reply Quote 0
        • D
          dognose
          last edited by dognose

          Figured it out thx to a post in the UTM-Forums that is ... ehm... 5 years old :)

          The Sophos has an Issue with AES 256 along with SHA 256. Dropping to SHA-1 and it starts to work out of a sudden.

          (Not to mention it does not support IKEv2)

          We'll, we are looking for a new Appliance on the HQ-Side anyway, so i'm now going to look deeper into pfSense 😜

          https://community.sophos.com/sophos-xg-firewall/f/discussions/89213/ipsec-vpn-with-utm-not-passing-traffic?ReplyFilter=Answers&ReplySortBy=Answers&ReplySortOrder=Descending

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.