Establishing a IPSec Connection with Sophos Connect behind ISP Router

Question

Hey everyone :-) 
 I am trying to establish a remote client IPSec ( or SSLVPN I don't care) connection for users behind an ISP Router. or in other words Internet (Public Adress ) ISP Router (internal adress) Sophos This already ran on an older XG Version (I think ~16) but at this point it does not work anymore. (some employees move out of the country and they need it again) 500 and 4500 are forwarded on the ISP Router to the sophos and a NAT / MASQ rule is "connected" to the firewall rule in the Sophos config I think my problem is different: In the configuration dialog for the" remote access vpn", the UI shows me the internal IP Adress, that the Sophos gets from the ISP Router. When I try to establish the connection on the client with sophos connect, the log states "can't connect to that internal IP Adress" and tells me "UDP Port 500 may be blocked" (what a suprise) So how can I configure the VPN correctly, so that my client connects to the public ip adress, instead of the internal one. I was not able to find this case in the knowledge base (not for client VPN that is, only for site-to-site)

RickardNordahl · Answer

For SSL VPN I would use the setting "Override Hostname" with an IP-address or a name pointing towards the ISP IP-address. This should work. 
 
 For IPSec you can use the Sophos Connect Admin tool to change the Target host. I am not sure this works in the Firewall GUI it self. 
 
 //Rickard

emmosophos · Answer

Hello Rene, 
 As Richard mentioned, you must edit the override hostname in the SSL VPN Global Settings; your scenario is covered in the following Recommend Read . 
 For Sophos Connect (IPsec), you would need to edit the configuration file and substitute the Public IP given by the Firewall on the WAN port for the Public IP of the modem. 
 Regards,

Establishing a IPSec Connection with Sophos Connect behind ISP Router

Top Replies