Issues with IPsec between Sophos and Mikrotik

minaldwarkaram · April 30, 2021, 7:09am

Hi there,

I am experiencing some issues in relation to an IPsec tunnel between a Sophos XG85 & a Mikrotik RB2011.

I have gotten the IPsec to establish with no issues. I can ping and access all resources from the Mikrotik side, however from the Sophos side I cannot ping or access any devices on the Mikrotik side.

Sophos range: 192.168.1.0/24
Mikrotik range: 10.50.1.0/24

I believe this is an issue on my Mikrotik side in terms of my firewall rules. Can anyone possibly point me in the right direction in regard to this?

My firewall rules:

Filter:

0 chain=input action=accept protocol=ipsec-esp log=no log-prefix=“”

1 chain=input action=accept src-address=192.168.1.0/24 dst-address=10.50.1.0/24 log=no log-prefix=“”

2 chain=input action=accept protocol=udp src-port=4500 log=no log-prefix=“”

3 chain=forward action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=“”

4 chain=forward action=accept src-address=192.168.1.0/24 dst-address=10.50.1.0/24 log=no log-prefix=“”

NAT:
chain=srcnat action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=“”

I have confirmed with a Sophos engineer that the Sophos side of things look 100%.

Wondering if anyone here has dealt with this type of setup before!

Thank you!

rextended · April 30, 2021, 7:28am

What version of RouterOS your use?
I suggest to Update to 6.47.9.

NAT:

chain=srcnat action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24

???

must be

action=masquerade

or not?

minaldwarkaram · April 30, 2021, 7:52am

What version of RouterOS your use?
I suggest to Update to 6.47.9.

Currently on 6.46.1, I can arrange for upgrading the firmware on the device!

NAT:

chain=srcnat action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24

>
> ???
>
> must be
>
> ```text
action=masquerade

or not?

I don’t think I’d need to masquerade the traffic? As it’s an IPsec tunnel, so it’s private traffic if I understand correctly?
I do have another NAT rule for masquerading traffic out on my WAN.

I believe I need a specific filter rule to accept the traffic from the Sophos however I am falling short on that front.

Thank you!

rextended · April 30, 2021, 8:40am

Double check for me:
you create route (or other systems) for make reachable the two LAN?
without any bit of info on that I can only suppose…

Assuming Sophos range 192.168.1.0/24 know how to REPLY to Mikrotik range,
Mikrotik range 10.50.1.0/24 know how to REPLY on Sophos packet?

minaldwarkaram · April 30, 2021, 9:50am

Hi there,

There is no route setup on the mikrotik’s side to get to the Sophos side however I can access all resources on the other side of the tunnel.

sindy · April 30, 2021, 5:40pm

Don’t worry, it’s because the IPsec policies intercept the traffic and divert it into the tunnel. But some route for the traffic must exist, as the IPsec policies’ traffic selectors only act after the regular routing has routed that traffic somewhere.

Also the action=accept rule in chain=srcnat is correct if it is there to exempt the traffic to be sent via IPsec from getting srcnated.

Regarding the initial issue, I cannot see anything wrong in the few rules you’ve posted. So post the complete configuration, and also bear in mind that e.g. Windows machines do not respond to pings arriving from outside their own subnet. Running /tool sniffer quick ip-address=192.168.1.0/24 ip-protocol=icmp while pinging from the Sophos side to the Mikrotik side should show you how far the request gets and whether a response arrives. The only thing it won’t show is the response leaving through the tunnel, but mangle rules can be used to log them.