Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Establishing a IPSec Connection with Sophos Connect behind ISP Router

Rene Böhres

Hey everyone :-)

I am trying to establish a remote client IPSec ( or SSLVPN I don't care) connection for users behind an ISP Router.
or in other words Internet (Public Adress ) ISP Router (internal adress) Sophos

This already ran on an older XG Version (I think ~16) but at this point it does not work anymore. (some employees move out of the country and they need it again)
500 and 4500 are forwarded on the ISP Router to the sophos and a NAT / MASQ rule is "connected" to the firewall rule in the Sophos config

I think my problem is different: In the configuration dialog for the" remote access vpn", the UI shows me the internal IP Adress, that the Sophos gets from the ISP Router.
When I try to establish the connection on the client with sophos connect, the log states "can't connect to that internal IP Adress"
and tells me "UDP Port 500 may be blocked"

(what a suprise)

So how can I configure the VPN correctly, so that my client connects to the public ip adress, instead of the internal one.

I was not able to find this case in the knowledge base (not for client VPN that is, only for site-to-site)






This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, we would recommend you to upgrade to the latest v19.5 as it has various graphical and technological enhancement in regards to the performance of the modules  SFOS provides, and here is the complete guide for SSL VPN and IPsec VPN:

    1.) Configure remote access SSL VPN with Sophos Connect client
    2.) Configure IPsec remote access VPN with Sophos Connect client

    Additionally, you can refer the Retirement calendar for Sophos Firewall Software. SFOS 16 was declared EOL(End-of-Life) on 20-AUG-2019.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    I wrote than the VPN tunnel RAN (worked) on 16 but does not work anymore. In other words the firewall has the newest firmware version installed and it does not work anymore since the new version was installed.
    The Sophos connect client tries to connect to the local IP Address given by the ISP Router, instead of the public IP Address.
    It worked on older Firmware Versions, but it does not work anymore.
    I updated both the firmware of the sophos and the sophos connect clients as well as the config files.

    How can I configure it correctly, so the sophos connect client tries to connect to the public IP Address instead of the local IP Address of the ISP Router
    (and yes I read all the sophos documentation before posting here, but there is no KB entry for this specific case)
    Which is odd since XG / XGS does not come with a modem pre installed

  • 0 in reply to Rene Böhres

    For SSL VPN I would use the setting "Override Hostname" with an IP-address or a name pointing towards the ISP IP-address. This should work.

    For IPSec you can use the Sophos Connect Admin tool to change the Target host. I am not sure this works in the Firewall GUI it self.

    //Rickard

Reply Children
No Data
Unfiltered HTML