Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 2839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Sophos Connect to XG 18.x

Bart van der Horst

Hi,

Have the following situation:
Customer has an XG firewall and uses ipsec vpn client (Sophos Connect 2) to access internal resources. Works perfect.
When he is in the office he wants to do the following:

Connect to wifi for internet access, XG has zone for wifi (dmz) with internet access, no access to internal resources. This works also.
Sometimes he wants to connect to wifi and use vpn for access internal resources (like he does from outside).
So he wants to connect to wifi and then open a ipsec vpn to the firewall and access the internal resources.

When he does this he get an ike udp 500 is blocked error on the client.

In the firewall log i see "Appliance Access Denied, srcip=internal wifi ip, destip= external internet ip, destport=500, protocol=UDP.

For SSLVPN i can enable access to WiFi zone in the "Local service ACL" but not for Ipsec.

How do i enable this? The customer does not want SSLVPN for that.

Any help would be welcome.

Bart



This thread was automatically locked due to age.
Parents
  • 0

    Sophos Connect IPsec opens the Port only on the configured Port. You could try to create a DNAT and NAT the traffic from WIFI to your WAN interface. This "might work" (Not sure).

    Or you work with a DNS Record, which always points to your WAN interface. 

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    Tried the NAT option didn't work this is wat i see in the client log:

    2020-10-29 08:53:31PM 11[CFG] loaded IKE shared key with id 'HBVDH_VPN-psk-id' for: '%any'
2020-10-29 08:53:31PM 12[CFG] loaded EAP shared key with id 'HBVDH_VPN-user-id' for: 'bart'
2020-10-29 08:53:33PM 14[LIB] TAP-Windows driver version 1.0 available.
2020-10-29 08:53:33PM 79[KNL] interface 8 'Sophos TAP Adapter' changed state from Down to Up
2020-10-29 08:53:35PM 14[CFG] added vici connection: HBVDH_VPN
2020-10-29 08:53:35PM 11[CFG] vici initiate CHILD_SA 'HBVDH_VPN-tunnel-1'
2020-10-29 08:53:35PM 14[IKE] <HBVDH_VPN|84> initiating Main Mode IKE_SA HBVDH_VPN[84] to x.x.x.x
2020-10-29 08:53:35PM 14[ENC] <HBVDH_VPN|84> generating ID_PROT request 0 [ SA V V V V V ]
2020-10-29 08:53:35PM 14[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:38PM 08[IKE] <HBVDH_VPN|84> sending retransmit 1 of request message ID 0, seq 1
2020-10-29 08:53:38PM 08[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:44PM 14[IKE] <HBVDH_VPN|84> sending retransmit 2 of request message ID 0, seq 1
2020-10-29 08:53:44PM 14[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:56PM 06[IKE] <HBVDH_VPN|84> giving up after 2 retransmits
2020-10-29 08:53:56PM 06[IKE] <HBVDH_VPN|84> establishing IKE_SA failed, peer not responding
2020-10-29 08:53:57PM 09[ESP] unsupported IP version
2020-10-29 08:53:57PM 12[CFG] vici terminate IKE_SA 'HBVDH_VPN'
2020-10-29 08:53:57PM 78[KNL] interface 8 'Sophos TAP Adapter' changed state from Up to Down

    Don't know if this helps.

    
			
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	




Reply

    


  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
												
						in reply to LuCar Toni
					
									
    
	
    

		
		
    
					
    Hi LuCar Toni,
    

    Tried the NAT option didn't work this is wat i see in the client log:
    

    2020-10-29 08:53:31PM 11[CFG] loaded IKE shared key with id 'HBVDH_VPN-psk-id' for: '%any'
2020-10-29 08:53:31PM 12[CFG] loaded EAP shared key with id 'HBVDH_VPN-user-id' for: 'bart'
2020-10-29 08:53:33PM 14[LIB] TAP-Windows driver version 1.0 available.
2020-10-29 08:53:33PM 79[KNL] interface 8 'Sophos TAP Adapter' changed state from Down to Up
2020-10-29 08:53:35PM 14[CFG] added vici connection: HBVDH_VPN
2020-10-29 08:53:35PM 11[CFG] vici initiate CHILD_SA 'HBVDH_VPN-tunnel-1'
2020-10-29 08:53:35PM 14[IKE] <HBVDH_VPN|84> initiating Main Mode IKE_SA HBVDH_VPN[84] to x.x.x.x
2020-10-29 08:53:35PM 14[ENC] <HBVDH_VPN|84> generating ID_PROT request 0 [ SA V V V V V ]
2020-10-29 08:53:35PM 14[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:38PM 08[IKE] <HBVDH_VPN|84> sending retransmit 1 of request message ID 0, seq 1
2020-10-29 08:53:38PM 08[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:44PM 14[IKE] <HBVDH_VPN|84> sending retransmit 2 of request message ID 0, seq 1
2020-10-29 08:53:44PM 14[NET] <HBVDH_VPN|84> sending packet: from 172.16.24.221[56876] to x.x.x.x[500] (180 bytes)
2020-10-29 08:53:56PM 06[IKE] <HBVDH_VPN|84> giving up after 2 retransmits
2020-10-29 08:53:56PM 06[IKE] <HBVDH_VPN|84> establishing IKE_SA failed, peer not responding
2020-10-29 08:53:57PM 09[ESP] unsupported IP version
2020-10-29 08:53:57PM 12[CFG] vici terminate IKE_SA 'HBVDH_VPN'
2020-10-29 08:53:57PM 78[KNL] interface 8 'Sophos TAP Adapter' changed state from Up to Down

    

    Don't know if this helps.

    

    
			
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 





Children