This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect with XG v18

I'm having trouble setting up sophos connect on a fresh install of XGv18. I had it working with v17.5. I get the error IKE UDP port seems blocked, no response from the gateway.

The instructions I've followed are here:

https://community.sophos.com/kb/en-us/133109

Assigned IP range is outside LAN IP range.

From SCVPN.log

2020-03-12 01:01:32PM [14616] dbg SophosVPN VPN state changed to connecting
2020-03-12 01:01:32PM [14616] dbg Starting tunnel (connecting)
2020-03-12 01:01:32PM [14616] dbg Connection to strongSwan has been established
2020-03-12 01:01:34PM [14616] dbg Sending notification: The IKE UDP port seems to be blocked
2020-03-12 01:01:35PM [14616] dbg Initiating connection SophosVPN
2020-03-12 01:01:35PM [12160] dbg IKE being initiated to IP address xxxx
2020-03-12 01:01:57PM [14616] err Tunnel initiate to xxxx failed: 1036 - No response from gateway: xxxx
2020-03-12 01:01:57PM [14616] dbg Unloading configuration for connection SophosVPN
2020-03-12 01:01:58PM [14616] dbg Connection to strongSwan has been closed
2020-03-12 01:01:58PM [14616] dbg SophosVPN VPN state changed to reconnecting
2020-03-12 01:01:58PM [14616] dbg Sending notification: No response from gateway: xxxx

Gatway IP matches the WAN IP.

What have I screwed up?

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 5 years ago

Could you log into the Shell (Advanced shell - 5 - 3) and perform a ' tcpdump -ni any port 500 '

Reconnect and verify, there are coming packets.

If not - something between SC and XG is blocking.
Cancel
Vote Up 0 Vote Down

Cancel

0 PTP over 5 years ago in reply to LuCar Toni

I can see packets arriving:

15:02:26.251895 Port1_ppp, IN: IP 92.40.168.73.53177 > xxx.xxx.xxx.xxx.500: isakm
p: phase 1 I ident                                                              
15:02:26.254225 Port1_ppp, OUT: IP xxx.xxx.xxx.xxx.500 > 92.40.168.73.53177: isak
mp: phase 1 R ident    

Anything else I should check?

Reply

0 PTP over 5 years ago in reply to LuCar Toni

I can see packets arriving:

15:02:26.251895 Port1_ppp, IN: IP 92.40.168.73.53177 > xxx.xxx.xxx.xxx.500: isakm
p: phase 1 I ident                                                              
15:02:26.254225 Port1_ppp, OUT: IP xxx.xxx.xxx.xxx.500 > 92.40.168.73.53177: isak
mp: phase 1 R ident    

Anything else I should check?

Children

0 PTP over 5 years ago in reply to PTP

The issue is appears have been with the iPhone VPN connection. I've got Sophos Connect on a windows 10 machine to connect but it now gives me a remote network IP of 0.0.0.0/0

Looking at this thread Marte Cooksey mentions adding an IP range in Host & Services. It looks like one has been added automatically for the Sophos Connect but it doesn't have an IP range. Is this correct?

https://community.sophos.com/products/xg-firewall/f/sophos-connect/111871/can-t-get-remote-network
Cancel
Vote Up 0 Vote Down

Cancel