IPSec remote access with xg firewall

Question

Hi, 
 
 I want to configure IPSec remote access on a XG FIREWALL VM v18.0.4 that i am currently using as a smtp gateway for our mail server. I configured IPSec to use the same public address and when i try to connect to the firewall using the sophos connect client a get the error PORT UDP IKE IS BLOCKED. 
 my firewall rules are as follow : 
 1. A firewall rule to allow connection to our mail server : 
 source zone : WAN source networks : ANY 
 destination : LAN destination networks : public address 
 services : IMAP IMAPS HTTP HTTPS SMTP SMTPS 
 2. A NAT rule for the rule above to forward it to the mal server private address. 
 3. a rule to permit traffic to internet from our mail server. 
 for me i am thinking that the firewall is sending my vpn connection request to the private ip address thats why is telling me UDP PORT IKE IS BLOCKED. or i just cannot use the same publich ip address for both DNATing our mail server and IPSec vpn remote access. 
 
 THANKS FOR HELPING.

emmosophos · Accepted Answer

Hello Youcef, 
 Thank you for contacting the Sophos Community. 
 For Sophos Connect Client to be able to connect to your Firewall, Port 500 / 4500 must be open where you&rsquo;re connecting from. 
 You can use DNAT as long as the service isn&rsquo;t set to ANY as this will forward all of your traffic down to a specific server. 
 https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/troubleshooting/UDP.html 
 I would recommend you to do a tcpdump on the XG to see if you are seeing traffic arriving to the XG when you are trying to connect 
 #tcpdump -eni any port 500 or port 4500 
 Then try to connect, and see if you see traffic arriving to the XG 
 Check scvpn.log (can be found in the Sophos Connect install folder on windows and /var/log on Mac). Make sure the gateway hostname or IP is correct. 
 Regards,

IPSec remote access with xg firewall

Top Replies