Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 607 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access VPN IPsec - Gateway/Address in Provisioning file

triune

Hello,

I did take a look at the IPSec VPN for remote access in Sophos Firewall OS v19 and there is a value in the exported Provisioning file that i can't understand where the NGFW gets the value from.

The Value is "gateway" or "address" depending on configuration (.scx or .tgb).

I have search the forum, readed the documentation and can't find any information how this value is applied in the configuration.

When creating the IPsec VPN you only choose interface for the endpoint of the connection (for me WAN-Link/UpLink-interface) but in the configuration file it's add a FQDN/DNS entry and for me it's adding a not correct value (DNS/FQDN-entry). Where does NGFW get's this value from and how can you change this value?

It feels like the documentation needs to be better here. None of this (that I'm asking about) is explained in the documentation.

However when exporting the configuration to .tar.gz or downloading the profile from the User Portal to an ex. iOS device, it downloads the profile/configuration with the mystic DNS-entry/FQDN in it and I cannot seem to override this on the NGFW.

The configuration you download (.scx) and send to the users can be manual changed for value "gateway" but this does not works the configuration you download for iOS-device.

My theory is that it takes this value from the DNS-entry example the first DynDNS-value (if you have it configured on the firewall). Is that correct and how can you affect so instead correct DNS-value is applied?

Best Regards,



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    The documentation currently states that the Gateway value, would be the FQDN or IPv4 address of the Sophos Firewall that provisions the connection, so in this case if you have DynamicDNS that will take precedence over the Public IP of the XG, if you don't have any DynDNS then the value in the provisioning file will be the Public IP of the XG. So your theory is correct.

    Can you clarify the last question I was not able to understand, what do you mean by "how can you affect so instead correct DNS-Value is applied"? 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    The documentation currently states that the Gateway value, would be the FQDN or IPv4 address of the Sophos Firewall that provisions the connection, so in this case if you have DynamicDNS that will take precedence over the Public IP of the XG, if you don't have any DynDNS then the value in the provisioning file will be the Public IP of the XG. So your theory is correct.

    Can you clarify the last question I was not able to understand, what do you mean by "how can you affect so instead correct DNS-Value is applied"? 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • 0 in reply to emmosophos

    Thanks for the reply and sorry for my lack of clarity in the question. For this set, there are multiple DNS-values and the value that the firewall chooses is the first dynamic name in the list (or last added), related to the public IP.

    This may be an unusual configuration but is it possible to create a static DNS value in the firewall that takes precedence over the dynamic one/ones?

    The dynamic DNS-value is related to the public address and valuable for the firewall but for other purposes. I mean a different DNS-value should instead be used (in this example) for the IPsec VPN (a subdomain) and therefore it's importent for me to change this.

    Another point of view on this could also be that multiple DNS values are used for a firewall. For example, there may be a primary DNS-name that are connected to a DynDNS service that the firewall does not support (where care is taken to update the public address in another way). At the same time, there may be secondary DNS-name that are connected to a DynDNS that the firewall supports, but will then become primary instead of secondary (in point of view of the firewall and related to the Public-IP). That's why I ask in my example, if you can create a static pointer (DNS a-record) in the firewall to the public IP address and that value will precedence over the dynamic one/ones?

    Regards,

Unfiltered HTML