Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Establishing a IPSec Connection with Sophos Connect behind ISP Router

Rene Böhres

Hey everyone :-)

I am trying to establish a remote client IPSec ( or SSLVPN I don't care) connection for users behind an ISP Router.
or in other words Internet (Public Adress ) ISP Router (internal adress) Sophos

This already ran on an older XG Version (I think ~16) but at this point it does not work anymore. (some employees move out of the country and they need it again)
500 and 4500 are forwarded on the ISP Router to the sophos and a NAT / MASQ rule is "connected" to the firewall rule in the Sophos config

I think my problem is different: In the configuration dialog for the" remote access vpn", the UI shows me the internal IP Adress, that the Sophos gets from the ISP Router.
When I try to establish the connection on the client with sophos connect, the log states "can't connect to that internal IP Adress"
and tells me "UDP Port 500 may be blocked"

(what a suprise)

So how can I configure the VPN correctly, so that my client connects to the public ip adress, instead of the internal one.

I was not able to find this case in the knowledge base (not for client VPN that is, only for site-to-site)






This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vivek Jagad

    I wrote than the VPN tunnel RAN (worked) on 16 but does not work anymore. In other words the firewall has the newest firmware version installed and it does not work anymore since the new version was installed.
    The Sophos connect client tries to connect to the local IP Address given by the ISP Router, instead of the public IP Address.
    It worked on older Firmware Versions, but it does not work anymore.
    I updated both the firmware of the sophos and the sophos connect clients as well as the config files.

    How can I configure it correctly, so the sophos connect client tries to connect to the public IP Address instead of the local IP Address of the ISP Router
    (and yes I read all the sophos documentation before posting here, but there is no KB entry for this specific case)
    Which is odd since XG / XGS does not come with a modem pre installed

  • 0 in reply to Rene Böhres

    For SSL VPN I would use the setting "Override Hostname" with an IP-address or a name pointing towards the ISP IP-address. This should work.

    For IPSec you can use the Sophos Connect Admin tool to change the Target host. I am not sure this works in the Firewall GUI it self.

    //Rickard

  • 0 in reply to Rene Böhres

    Hello Rene,

    As Richard mentioned, you must edit the override hostname in the SSL VPN Global Settings; your scenario is covered in the following Recommend Read.

    For Sophos Connect (IPsec), you would need to edit the configuration file and substitute the Public IP given by the Firewall on the WAN port for the Public IP of the modem.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML