Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 28 subscribers
  • Views 5213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Support for IPv6 VPNs | DS-Lite | Unitymedia WAN Connection

Jonnie

Hey together, 

Simple Question: Does the XG supports VPN access with SSL or IPSec VPN and IPv6 ?

Background: We have several users which must use a WAN connection from Unitymedia or Vodafone (cable based) in their homeoffice.

The issue is, that these carriers are using DS-Lite, which is breaking the SSL VPN connection. No vpn connection is possible.

As a workaround we could use IPv6 VPN, if it possible with the XG. I didn't find any useful information regarding the documentation.

If there any other solutions, i'm happy for any ideas. 

Regards,

Jonny



This thread was automatically locked due to age.
  • 0

    Hi,

    I wonder why SSL VPN outgoing should be a problem on DS Lite. I know many people who use this. I'm using this scenario as well.

    This would of course not work if the XG Firewall is behind such a DS-Lite WAN Connection. It needs dedicated IP.

    But I can tell there are problems with the connect client and IPSec from behind a DS-Lite connection.

    Check these threads:

    https://community.sophos.com/xg-firewall/f/discussions/121891/connect-client-funktioniert-bei-manchen-usern-nicht

    https://community.sophos.com/xg-firewall/f/discussions/122398/connect-client-ipsec-vpn-and-heartbeat-issues

    I've lost focus on testing this lately but one day this will be on my task schedule again.

    Hope you find a solution.

  • 0 in reply to LHerzog

    Thanks for your reply.
    In fact we have several users which are using DS-Lite in their Homeoffice. None of them is able to connect via SSL VPN. 
    If they switch to a hotspot from their smartphone the SSL VPN will work without any issues. So it's not a configuration issue.
    There are different routers in use like Fritzbox 7490 or Vodafone Station, so I would exclude that it's router related. Users with a Telekom DSL Connection are without any issues, stable and fast. 

    Our XG is behind an LWL-Gateway from Telekom. Public IP etc. 

    Are you sure that you using DS-Lite and not maybe Dual Stack with IPv4 and IPv6? Could share you SSL VPN configuration with me? 

    I'm using Port 443 UDP for SSL VPN. 

  • 0 in reply to Jonnie

    My home connection is a DS-Lite Vodafone connection with a Vodafone station and Sophos Connect (SSLVPN) works fine for me.

    You should check with the OpenVPN Community to find some workarounds for this problem, if you have issues. 

    There are several threads in openVPN and in the unitymedia/vodafone community. Simply watch out for OpenVPN, as Sophos Connect uses the openVPN backend. 

  • 0 in reply to LuCar Toni

     Thanks for the info. 
    I actually don't want to ask in other forums if we use a XG and this is the Sophos Support Forum? Beside that I already searched for this issue on many sites. But let us be honest, the Unitymedia or any other carrier forum is not that helpful. I'm looking for an technical appropriate answer from experts and not from some dudes who just click the connect button. Other XG customers like LHerzog is also looking for solutions, so I think it's the best place to ask here? At the OpenVPN Forum they suggest IPv6 VPN.

    From my description above you should have noticed that the behaviour is kinda strange, or isn't it? I have two other colleagues which were not able to connect, they switched to a business contract with IPv4 at Vodafone and after that the VPN is fine. So it seems like it's related to the WAN connection itself and not to the configuration or router. 

    If your vpn is working fine, could you please share your ssl vpn configuration? I'm wondering what could be the issue. It's no help for me if you say "I'm cool with my vpn" and don't answer a single question from me. 


    Beside that, does the XG supports IPv6 to avoid DS-Lite issues? 

  • 0

    Hello Jonnie,

    Thank you for contacting the Sophos Community!

    Yes SSL VPN and Sophos Connect using SSL VPN with IPv6 is supported.

    Regards,

  • 0 in reply to Jonnie

    Basically you need to start to begin the debugging with packet captures of both ends. As my connection works fine, i am still expecting some issues with those Connect boxes of the ISP, but never could reproduce this. 

    If you do a tcpdump on XG and dump the same connection on the Endpoint, you should be able to figure out, what could possible go wrong. 

    I assume there is a issue with the general experience. See: https://www.borncity.com/blog/2020/03/27/breitband-anschluss-und-kein-vpn-im-home-office/

  • 0 in reply to LuCar Toni

    Yes, I already read this article and also the comments, but there are so many different solutions which may help. I can't do this kind of extensive troubleshooting with every of my "cable" users. I need one simple solution for all of them. So I was thinking of an IPv6 VPN

    As you already mentioned, this kind of issues are nuts, because it seems like there is no single root cause. You are using the same router and carrier, also DS-Lite and there are no issues. We using the the "same" setup, but it fails though the configuration and client is working fine with a LTE hotspot. 

    I will try to dump a connection and check it. Do you use UDP or TCP for your ssl vpn?

  • 0 in reply to emmosophos

    Hey 

    Thanks for your reply. Maybe IPv6 will help me out with this mess. Some questions about the use of IPv6 SSL VPN:

    • Do I need for testing purposes to override the Hostname at the XG SSL VPN Config with the public IPv6 Address or is sufficient to change the address at my .ovpn file?
    • Do I need some further changes at the .ovpn file? I already checked example configs for IPv6 from the OpenVPN Forum and there were some other parameters used?
    • If I use the Sophos Connect Client 2.0, which optain it's configuration from the user portal, how can I ensure that the Client is using IPv6 instead of IPv4? Using a Host AAA Entry? 
    • Is there a chance to get a failover function if a IPv4 connection fails to connect and use instead IPv6?  
    • Does the client lease mode correlate with the use of an public IPv6? In other words, can I use IPv4 for client ip but IPv6 for the connection through internet?  

    Thanks for your support!

  • 0 in reply to Jonnie

    I can use basically every different kind of connection with no problem. So i tried in the last month nearly everything on XG end, and could connect. Same for colleagues.

  • 0 in reply to Jonnie

    Hi,

    this setting is running for all our users. Lots of Unitymedia/Vodafone Cable Users in BW though.

    Maybe this is somehow related to UDP 443 you have set up, but I would wonder why this should make the difference. We're using TCP 443 - wonder what LuCar Toni is using in his settings.

    My personal router is FB 6940 Cable (non ISP device) which is using DS Lite, not dual stack.

    ssl_vpn_config.ovpn:

    ip-win32 dynamic
client
dev tun
proto tcp
verify-x509-name "C=DE, .......... CN=*.xxxxxxx.de"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
Bag Attributes
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass
cipher AES-256-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
remote xxxxxxx.xxxxxxx.de 443

    I would suggest you post client and XG log of one failing connection here.