Mikrotik and Sophos XG IPSec Site to Site

shimabuku · February 15, 2018, 4:28pm

This is a x-post from Sophos XG forums. I am currently stumped and looking for anyone that can shed some light on my situation. In a nutshell, I am able to access devices on the remote subnet behind the Sophos XG from behind the mikrotik but not the other way around. Below is my mikrotik ipsec configs.

https://community.sophos.com/products/xg-firewall/f/network-and-routing/100460/mikrotik-and-sophos-ipsec-site-to-site

[pepsi@mikrotik] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder 
 0     address=67.xxx.xxx.168/32 auth-method=pre-shared-key secret="oops" 
       generate-policy=no policy-template-group=default exchange-mode=ike2 
       send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-256 
       dh-group=modp2048 dpd-interval=2m 
	   
[pepsi@mikrotik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=192.168.87.0/24 src-port=any dst-address=10.0.100.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=24.xxx.xxx.222 sa-dst-address=67.xxx.xxx.168 proposal=default ph2-count=1 	   

[pepsi@mikrotik] > /ip ipsec proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048 	   
 
[pepsi@mikrotik] > /ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0xE91F9A8 src-address=67.xxx.xxx.168 dst-address=24.xxx.xxx.222 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="9271bae35a4ee7bfd1b3ba97b08ba9541809124e3c16aff5aef9c9428dc4d2d1" 
      enc-key="f775f3cf1fcdaaccf13889a088b922ece716fccac82249737090702d95ec3j0d" addtime=feb/15/2018 15:58:08 expires-in=11m20s add-lifetime=24m11s/30m14s current-bytes=11220 current-packets=136 replay=128 

 1  E spi=0xC46763EB src-address=24.xxx.xxx.222 dst-address=67.xxx.xxx.168 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="5d040c2a5ba14aaf342d6t57ab9c5cec60c01394u9f78b8b9c5ec8241bae496d" 
      enc-key="56b3a5bb3306e4cc8c12a6c2b04185212f3508eda60b8f1339b00dfe27j5f3e3" addtime=feb/15/2018 15:58:08 expires-in=11m20s add-lifetime=24m11s/30m14s current-bytes=300 current-packets=6 replay=128

shimabuku · February 15, 2018, 5:24pm

Here is my NAT settings.

[pepsi@mikrotik] > / ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.87.0/24 dst-address=10.0.100.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""

shimabuku · February 16, 2018, 5:32pm

I am getting closer. I can now ping devices behind the Mikrotik but can’t SSH or RDP to them. I am assuming it has to do with my firewall filter. Anyone got any suggestions?

[pepsie@mikrotik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=udp port=500 log=no log-prefix="" 

 1    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 2    chain=forward action=accept src-address=10.0.100.0/24 dst-address=192.168.87.0/24 log=no log-prefix="" 

 3    chain=forward action=accept src-address=192.168.87.0/24 dst-address=10.0.100.0/24 log=no log-prefix="" 

 4    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 5    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 6    ;;; Winbox
      chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix="" 

 7    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 8    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 9    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

10    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""