This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Sophos Connect to XG 18.x

Hi,

Have the following situation:
Customer has an XG firewall and uses ipsec vpn client (Sophos Connect 2) to access internal resources. Works perfect.
When he is in the office he wants to do the following:

Connect to wifi for internet access, XG has zone for wifi (dmz) with internet access, no access to internal resources. This works also.
Sometimes he wants to connect to wifi and use vpn for access internal resources (like he does from outside).
So he wants to connect to wifi and then open a ipsec vpn to the firewall and access the internal resources.

When he does this he get an ike udp 500 is blocked error on the client.

In the firewall log i see "Appliance Access Denied, srcip=internal wifi ip, destip= external internet ip, destport=500, protocol=UDP.

For SSLVPN i can enable access to WiFi zone in the "Local service ACL" but not for Ipsec.

How do i enable this? The customer does not want SSLVPN for that.

Any help would be welcome.

Bart

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 4 years ago

Sophos Connect IPsec opens the Port only on the configured Port. You could try to create a DNAT and NAT the traffic from WIFI to your WAN interface. This "might work" (Not sure).

Or you work with a DNS Record, which always points to your WAN interface.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 4 years ago

Sophos Connect IPsec opens the Port only on the configured Port. You could try to create a DNAT and NAT the traffic from WIFI to your WAN interface. This "might work" (Not sure).

Or you work with a DNS Record, which always points to your WAN interface.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Bart van der Horst over 4 years ago in reply to LuCar Toni

Hi LuCar Toni,

Tried the NAT option didn't work this is wat i see in the client log:

2020-10-29 08:53:31PM 11[CFG] loaded IKE shared key with id 'HBVDH_VPN-psk-id' for: '%any'
2020-10-29 08:53:31PM 12[CFG] loaded EAP shared key with id 'HBVDH_VPN-user-id' for: 'bart'
2020-10-29 08:53:33PM 14[LIB] TAP-Windows driver version 1.0 available.
2020-10-29 08:53:33PM 79[KNL] interface 8 'Sophos TAP Adapter' changed state from Down to Up
2020-10-29 08:53:35PM 14[CFG] added vici connection: HBVDH_VPN
2020-10-29 08:53:35PM 11[CFG] vici initiate CHILD_SA 'HBVDH_VPN-tunnel-1'
2020-10-29 08:53:35PM 14[IKE] <HBVDH_VPN|84> initiating Main Mode IKE_SA HBVDH_VPN[84] to x.x.x.x
2020-10-29 08:53:35PM 14[ENC] <HBVDH_VPN|84> generating ID_PROT request 0 [ SA V V V V V ]
2020-10-29 08:53:35PM 14[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:38PM 08[IKE] <HBVDH_VPN|84> sending retransmit 1 of request message ID 0, seq 1
2020-10-29 08:53:38PM 08[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:44PM 14[IKE] <HBVDH_VPN|84> sending retransmit 2 of request message ID 0, seq 1
2020-10-29 08:53:44PM 14[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:56PM 06[IKE] <HBVDH_VPN|84> giving up after 2 retransmits
2020-10-29 08:53:56PM 06[IKE] <HBVDH_VPN|84> establishing IKE_SA failed, peer not responding
2020-10-29 08:53:57PM 09[ESP] unsupported IP version
2020-10-29 08:53:57PM 12[CFG] vici terminate IKE_SA 'HBVDH_VPN'
2020-10-29 08:53:57PM 78[KNL] interface 8 'Sophos TAP Adapter' changed state from Up to Down

Don't know if this helps.

0 LuCar Toni over 4 years ago in reply to Bart van der Horst

Try to perform a SNAT in the same DNAT rule. MASQ the traffic via WAN IP.
Cancel
Vote Up 0 Vote Down

Cancel