Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 1067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec remote access with xg firewall

Youcef Rahmouni

Hi,

I want to configure IPSec remote access on a XG FIREWALL VM v18.0.4 that i am currently using as a smtp gateway for our mail server. I configured IPSec to use the same public address and when i try to connect to the firewall using the sophos connect client a get the error PORT UDP IKE IS BLOCKED.

my firewall rules are as follow : 

1. A firewall rule to allow connection to our mail server :

source zone : WAN   source networks : ANY

destination : LAN destination networks :  public address 

services : IMAP IMAPS HTTP HTTPS SMTP SMTPS

2. A NAT rule for the rule above to forward it to the mal server private address.

3. a rule to permit traffic to internet from our mail server.

for me i am thinking that the firewall is sending my vpn connection request to the private ip address thats why is telling me UDP PORT IKE IS BLOCKED. or i just cannot use the same publich ip address for both DNATing our mail server and IPSec vpn remote access.

THANKS FOR HELPING.



This thread was automatically locked due to age.
Parents
  • +1

    Hello Youcef,

    Thank you for contacting the Sophos Community.

    For Sophos Connect Client to be able to connect to your Firewall, Port 500 / 4500 must be open where you’re connecting from.

    You can use DNAT as long as the service isn’t set to ANY as this will forward all of your traffic down to a specific server.

    https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/troubleshooting/UDP.html

    I would recommend you to do a tcpdump on the XG to see if you are seeing traffic arriving to the XG when you are trying to connect

    #tcpdump -eni any port 500 or port 4500

    Then try to connect, and see if you see traffic arriving to the XG

    Check scvpn.log (can be found in the Sophos Connect install folder on windows and /var/log on Mac). Make sure the gateway hostname or IP is correct.

    Regards,

Reply
  • +1

    Hello Youcef,

    Thank you for contacting the Sophos Community.

    For Sophos Connect Client to be able to connect to your Firewall, Port 500 / 4500 must be open where you’re connecting from.

    You can use DNAT as long as the service isn’t set to ANY as this will forward all of your traffic down to a specific server.

    https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/troubleshooting/UDP.html

    I would recommend you to do a tcpdump on the XG to see if you are seeing traffic arriving to the XG when you are trying to connect

    #tcpdump -eni any port 500 or port 4500

    Then try to connect, and see if you see traffic arriving to the XG

    Check scvpn.log (can be found in the Sophos Connect install folder on windows and /var/log on Mac). Make sure the gateway hostname or IP is correct.

    Regards,

Children