Community discussions

MikroTik App
 
minaldwarkaram
just joined
Topic Author
Posts: 3
Joined: Fri Apr 30, 2021 9:48 am

Issues with IPsec between Sophos and Mikrotik

Fri Apr 30, 2021 10:09 am

Hi there,

I am experiencing some issues in relation to an IPsec tunnel between a Sophos XG85 & a Mikrotik RB2011.

I have gotten the IPsec to establish with no issues. I can ping and access all resources from the Mikrotik side, however from the Sophos side I cannot ping or access any devices on the Mikrotik side.

Sophos range: 192.168.1.0/24
Mikrotik range: 10.50.1.0/24

I believe this is an issue on my Mikrotik side in terms of my firewall rules. Can anyone possibly point me in the right direction in regard to this?

My firewall rules:

Filter:

0 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""

1 chain=input action=accept src-address=192.168.1.0/24 dst-address=10.50.1.0/24 log=no log-prefix=""

2 chain=input action=accept protocol=udp src-port=4500 log=no log-prefix=""

3 chain=forward action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

4 chain=forward action=accept src-address=192.168.1.0/24 dst-address=10.50.1.0/24 log=no log-prefix=""

NAT:
chain=srcnat action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

I have confirmed with a Sophos engineer that the Sophos side of things look 100%.

Wondering if anyone here has dealt with this type of setup before!

Thank you!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Issues with IPsec between Sophos and Mikrotik

Fri Apr 30, 2021 10:28 am

What version of RouterOS your use?
I suggest to Update to 6.47.9.

NAT:
chain=srcnat action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24
???

must be
action=masquerade
or not?
 
minaldwarkaram
just joined
Topic Author
Posts: 3
Joined: Fri Apr 30, 2021 9:48 am

Re: Issues with IPsec between Sophos and Mikrotik

Fri Apr 30, 2021 10:52 am

What version of RouterOS your use?
I suggest to Update to 6.47.9.
Currently on 6.46.1, I can arrange for upgrading the firmware on the device!
NAT:
chain=srcnat action=accept src-address=10.50.1.0/24 dst-address=192.168.1.0/24
???

must be
action=masquerade
or not?
I don't think I'd need to masquerade the traffic? As it's an IPsec tunnel, so it's private traffic if I understand correctly?
I do have another NAT rule for masquerading traffic out on my WAN.

I believe I need a specific filter rule to accept the traffic from the Sophos however I am falling short on that front.

Thank you!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Issues with IPsec between Sophos and Mikrotik

Fri Apr 30, 2021 11:40 am

Double check for me:
you create route (or other systems) for make reachable the two LAN?
without any bit of info on that I can only suppose...

Assuming Sophos range 192.168.1.0/24 know how to REPLY to Mikrotik range,
Mikrotik range 10.50.1.0/24 know how to REPLY on Sophos packet?
 
minaldwarkaram
just joined
Topic Author
Posts: 3
Joined: Fri Apr 30, 2021 9:48 am

Re: Issues with IPsec between Sophos and Mikrotik

Fri Apr 30, 2021 12:50 pm

Hi there,

There is no route setup on the mikrotik's side to get to the Sophos side however I can access all resources on the other side of the tunnel.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with IPsec between Sophos and Mikrotik

Fri Apr 30, 2021 8:40 pm

There is no route setup on the mikrotik's side to get to the Sophos side however I can access all resources on the other side of the tunnel.
Don't worry, it's because the IPsec policies intercept the traffic and divert it into the tunnel. But some route for the traffic must exist, as the IPsec policies' traffic selectors only act after the regular routing has routed that traffic somewhere.

Also the action=accept rule in chain=srcnat is correct if it is there to exempt the traffic to be sent via IPsec from getting srcnated.

Regarding the initial issue, I cannot see anything wrong in the few rules you've posted. So post the complete configuration, and also bear in mind that e.g. Windows machines do not respond to pings arriving from outside their own subnet. Running /tool sniffer quick ip-address=192.168.1.0/24 ip-protocol=icmp while pinging from the Sophos side to the Mikrotik side should show you how far the request gets and whether a response arrives. The only thing it won't show is the response leaving through the tunnel, but mangle rules can be used to log them.

Who is online

Users browsing this forum: Bing [Bot], DMITRYB, menyarito, mikrochad and 72 guests