Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 707 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access: IPsec & L2TP remote access together on same WAN interface IP?

chaosweb2

Hi guys,

is this possible? We are currently merging from another L2TP-solution to Sophos XG remote access, but the performance of the SSL VPN / IPSec remote access is really poor regarding the old L2TP-IPSec solution.

The following settings are in use with the latest Sophos Connect Client:

  • SSL VPN with TCP enabled: The slowest solution
  • IPsec remote access with PSK: Faster than SSL VPN but still slower than the "old" solution.

For normal users like me both solutions are sufficient but we have HO users who are heavily working with 2D & 3D CAD. The old L2TP-IPsec solution was much faster when opening hundreds or thousands of small files when using CAD (incl. profiles, addons, and so on)

So i thought i give L2TP-IPsec on the XG a try. But I can't get it to work. The Win10-clients do not connect and I do not see anything in the firewall logs. For the testing I'm using the "DefaultRemoteAccess" IPsec policy. Would both solutions work on the same WAN-address?

Thanks,



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    It should be possible to run both IPsec and L2TP at the same time.

    The logs for the L2TP as the tunnel first has to form, would be under the charon.log

    Also try doing a tcpdump for the Public IP of the connecting machine from the Advanced Shell of the XG, to see if you see traffic arriving at it.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Well I have made a little progress.

    IPSec and L2TP are runninng on the same interface and I'm able to make a connection with local users (created on the XG). I also found this KB: https://support.sophos.com/support/s/article/KB-000038160?language=en_US

    But I cannot authenticate with AD.users. Error message says:" The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server"

    The error code on the local machine is event id 691.

    ---


    My settings (for the test):

    XG console> set vpn l2tp authentication ANY

    PC: L2TP profile, tab "security":

    Data encryption: Optional

    Allow these protocols: PAP, CHAP & MS-CHAP activated

    --

    The L2TP-log:

    console> show vpn L2TP-logs
    xl2tpd[8587]: "auth"
    xl2tpd[8587]: "name"
    xl2tpd[8587]: "cyberoamserver"
    xl2tpd[8587]: "debug"
    xl2tpd[8587]: "file"
    xl2tpd[8587]: "/cfs/options.l2tpd"
    xl2tpd[8587]: Call established with 93.212.211.222, PID: 564, Local: 8186, Remote: 1, Serial: 0
    xl2tpd[8587]: control_finish: Connection closed to 93.212.211.222, serial 0 ()
    xl2tpd[8587]: Terminating pppd: sending TERM signal to pid 564
    xl2tpd[8587]: control_finish: Connection closed to 93.212.211.222, port 1701 (), Local: 36052, Remote: 12
    xl2tpd[8587]: Connection established to 93.212.211.222, 1701. Local: 11780, Remote: 13 (ref=0/0). LNS session is 'default'
    xl2tpd[8587]: check_control: Received out of order control packet on tunnel 13 (got 3, expected 2)
    xl2tpd[8587]: handle_packet: bad control packet!
    xl2tpd[8587]: start_pppd: I'm running:
    xl2tpd[8587]: "/bin/pppd"
    xl2tpd[8587]: "/dev/pts/2"
    xl2tpd[8587]: "ipparam"
    xl2tpd[8587]: "l2tp#93.212.211.222"
    xl2tpd[8587]: "passive"
    xl2tpd[8587]: "nodetach"
    xl2tpd[8587]: "Public IP:0.0.0.0"
    xl2tpd[8587]: "auth"
    xl2tpd[8587]: "name"
    xl2tpd[8587]: "cyberoamserver"
    xl2tpd[8587]: "debug"
    xl2tpd[8587]: "file"
    xl2tpd[8587]: "/cfs/options.l2tpd"
    xl2tpd[8587]: Call established with 93.212.211.222, PID: 3035, Local: 34445, Remote: 1, Serial: 0
    xl2tpd[8587]: control_finish: Connection closed to 93.212.211.222, serial 0 ()
    xl2tpd[8587]: Terminating pppd: sending TERM signal to pid 3035
    xl2tpd[8587]: control_finish: Connection closed to 93.212.211.222, port 1701 (), Local: 11780, Remote: 13

    --

    What am I missing?

     

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?