Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2330 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect IPSEC tunnel fails with MR5 unless Use as default gateway is set in Advanced settings

balletbob

Hi,

This is possibly an MR4+ issue but we encountered this after upgrading to MR 5.

We built our IPSEC config pre MR4 and the new Advanced settings area being exposed in the GUI.

We have two different Split Tunnel configurations deployed to clients.

We needed to add a use to the Allowed users and groups and you can't do it in the GUI (from the VPN area) unless the Advanced settings area is configured.

We set it up as our standard Split Tunnel config and saved.

Now our second IPSEC configured clients can't connected with a Invalid Phase 2 ID proposal message.

After much stuffing around and spotting a clue in the MR4 release notes, we figured out we had to have the Use as default gateway turned on in the GUI and then all the clients could connect.

Can anyone explain this behaviour and if this is a bug or a poor design decision?

If you want to have multiple different configurations, this is bad.

Thanks

Damien



This thread was automatically locked due to age.
Parents
  • 0

    XG firewall supports only one profile as of today, if you go down the road with the XG config with split tunneling.

    Its not like SSLVPN, which supports different profiles per Client. 

    As IPsec only can have one profile, it will only have the option to push one profile to the client and allow only one set of networks to connect. 

    Did this config work with MR4 and stop working with MR5? 

  • 0 in reply to LuCar Toni

    Pre MR5, everything was working just fine. I had not configured the Advanced settings as it didn't exist prior to MR4. Multiple different split profiles connect fine.

    As I had to configure the Advanced settings area in MR5 (let's call it the default profile) to just save the screen, then things stopped working.

    I can configure the default profile on the XG to tunnel everything (use as default gateway) and then my individual split profiles still work as they should.

    This seems like an artificial limitation so you can have functionality in version 2.1 of the client to push profile updates.

    Is it on the official roadmap to properly support multiple IPSEC profiles?

    You've either taken a step backwards or closed a function you didn't realise people were using.
    The existence of the Sophos Connect Admin tool seems to imply you were allowing different profiles.

    I don't see any specific reference in the documentation saying only a single profile is supported.

Reply
  • 0 in reply to LuCar Toni

    Pre MR5, everything was working just fine. I had not configured the Advanced settings as it didn't exist prior to MR4. Multiple different split profiles connect fine.

    As I had to configure the Advanced settings area in MR5 (let's call it the default profile) to just save the screen, then things stopped working.

    I can configure the default profile on the XG to tunnel everything (use as default gateway) and then my individual split profiles still work as they should.

    This seems like an artificial limitation so you can have functionality in version 2.1 of the client to push profile updates.

    Is it on the official roadmap to properly support multiple IPSEC profiles?

    You've either taken a step backwards or closed a function you didn't realise people were using.
    The existence of the Sophos Connect Admin tool seems to imply you were allowing different profiles.

    I don't see any specific reference in the documentation saying only a single profile is supported.

Children
No Data