This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Support for IPv6 VPNs | DS-Lite | Unitymedia WAN Connection

Hey together, 

Simple Question: Does the XG supports VPN access with SSL or IPSec VPN and IPv6 ?

Background: We have several users which must use a WAN connection from Unitymedia or Vodafone (cable based) in their homeoffice.

The issue is, that these carriers are using DS-Lite, which is breaking the SSL VPN connection. No vpn connection is possible.

As a workaround we could use IPv6 VPN, if it possible with the XG. I didn't find any useful information regarding the documentation.

If there any other solutions, i'm happy for any ideas. 

Regards,

Jonny



This thread was automatically locked due to age.
Parents
  • Hi,

    I wonder why SSL VPN outgoing should be a problem on DS Lite. I know many people who use this. I'm using this scenario as well.

    This would of course not work if the XG Firewall is behind such a DS-Lite WAN Connection. It needs dedicated IP.

    But I can tell there are problems with the connect client and IPSec from behind a DS-Lite connection.

    Check these threads:

    https://community.sophos.com/xg-firewall/f/discussions/121891/connect-client-funktioniert-bei-manchen-usern-nicht

    https://community.sophos.com/xg-firewall/f/discussions/122398/connect-client-ipsec-vpn-and-heartbeat-issues

    I've lost focus on testing this lately but one day this will be on my task schedule again.

    Hope you find a solution.

  • Thanks for your reply.
    In fact we have several users which are using DS-Lite in their Homeoffice. None of them is able to connect via SSL VPN. 
    If they switch to a hotspot from their smartphone the SSL VPN will work without any issues. So it's not a configuration issue.
    There are different routers in use like Fritzbox 7490 or Vodafone Station, so I would exclude that it's router related. Users with a Telekom DSL Connection are without any issues, stable and fast. 

    Our XG is behind an LWL-Gateway from Telekom. Public IP etc. 

    Are you sure that you using DS-Lite and not maybe Dual Stack with IPv4 and IPv6? Could share you SSL VPN configuration with me? 

    I'm using Port 443 UDP for SSL VPN. 

  • My home connection is a DS-Lite Vodafone connection with a Vodafone station and Sophos Connect (SSLVPN) works fine for me.

    You should check with the OpenVPN Community to find some workarounds for this problem, if you have issues. 

    There are several threads in openVPN and in the unitymedia/vodafone community. Simply watch out for OpenVPN, as Sophos Connect uses the openVPN backend. 

    __________________________________________________________________________________________________________________

  •  Thanks for the info. 
    I actually don't want to ask in other forums if we use a XG and this is the Sophos Support Forum? Beside that I already searched for this issue on many sites. But let us be honest, the Unitymedia or any other carrier forum is not that helpful. I'm looking for an technical appropriate answer from experts and not from some dudes who just click the connect button. Other XG customers like LHerzog is also looking for solutions, so I think it's the best place to ask here? At the OpenVPN Forum they suggest IPv6 VPN.

    From my description above you should have noticed that the behaviour is kinda strange, or isn't it? I have two other colleagues which were not able to connect, they switched to a business contract with IPv4 at Vodafone and after that the VPN is fine. So it seems like it's related to the WAN connection itself and not to the configuration or router. 

    If your vpn is working fine, could you please share your ssl vpn configuration? I'm wondering what could be the issue. It's no help for me if you say "I'm cool with my vpn" and don't answer a single question from me. 


    Beside that, does the XG supports IPv6 to avoid DS-Lite issues? 

  • Basically you need to start to begin the debugging with packet captures of both ends. As my connection works fine, i am still expecting some issues with those Connect boxes of the ISP, but never could reproduce this. 

    If you do a tcpdump on XG and dump the same connection on the Endpoint, you should be able to figure out, what could possible go wrong. 

    I assume there is a issue with the general experience. See: https://www.borncity.com/blog/2020/03/27/breitband-anschluss-und-kein-vpn-im-home-office/

    __________________________________________________________________________________________________________________

  • Yes, I already read this article and also the comments, but there are so many different solutions which may help. I can't do this kind of extensive troubleshooting with every of my "cable" users. I need one simple solution for all of them. So I was thinking of an IPv6 VPN

    As you already mentioned, this kind of issues are nuts, because it seems like there is no single root cause. You are using the same router and carrier, also DS-Lite and there are no issues. We using the the "same" setup, but it fails though the configuration and client is working fine with a LTE hotspot. 

    I will try to dump a connection and check it. Do you use UDP or TCP for your ssl vpn?

Reply
  • Yes, I already read this article and also the comments, but there are so many different solutions which may help. I can't do this kind of extensive troubleshooting with every of my "cable" users. I need one simple solution for all of them. So I was thinking of an IPv6 VPN

    As you already mentioned, this kind of issues are nuts, because it seems like there is no single root cause. You are using the same router and carrier, also DS-Lite and there are no issues. We using the the "same" setup, but it fails though the configuration and client is working fine with a LTE hotspot. 

    I will try to dump a connection and check it. Do you use UDP or TCP for your ssl vpn?

Children
  • I can use basically every different kind of connection with no problem. So i tried in the last month nearly everything on XG end, and could connect. Same for colleagues.

    __________________________________________________________________________________________________________________