Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 8068 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to connect Cisco IPSec. Sophos is behind another router.

Justind'Entremont

So I'm trying to connect to Sophos VPN using Cisco IPSec from an iPhone. 

The Sophos box is behind another router, and thus the public IP of the WAN interface of the Sophos box is actually a private IP. This causes me 2 problems:

a.) When I download the ..mobileconfig from the user web portal, it has the WAN IP of the Sophos box hardcoded as the server address, and there's no option to change this on the iPhone, or in the Sophos admin interface.

b). The VPN works fine if I place the iPhone on the same LAN as the Sophos WAN interface. I've forwarded UDP ports 500 & 4500 to the Sophos box on the other router and manually edited the .mobileconfig file so that the VPN server is actually my external IP or DNS name (I've tried both), but I'm still unable to connect from the internet.

Any thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Justind,

    The config file will always consist an IP address of the WAN interface on XG, as the interface configuration in the CISCO VPN client policy has the WAN port defined. This should be the actual behavior. Please show us IPSec logs when connecting to the XG device after editing the config file. Do you see traffic in tcpdump for port 500 and 4500. 

    Finally, check #1 in my guide here and monitor the drop packet capture for the destination IP address i.e., the iPhone's WAN IP address.

    Thanks

  • 0 in reply to sachingurung

    Cisco IPSEC.....if that's the one I was using a decade ago, it can handle hostnames instead of ip addresses.

    Seems to me like a good candidate for a feature request, being able to specify a name instead of address.
    After ISP change, you really do not want to have to mess with all remote VPN clients

  • 0 in reply to sixteen again

    I'm still confused on how to get this to work properly.. I'm attaching screenshots of the options under 'Remote Access' on my SG appliance as well as "Interfaces & Routing" --> Interfaces

    VPN Options I'm considering

     

    Most of the options I see under "Remote Access" have Interface either as 'WAN' or 'Internal'

     

    My current network interfaces on the Sophos SG         *Notice External WAN is set to LAN address of my Residential Gateway/ISP Router. This is because the Gateway/ISP Router must be setup with a 'Cascaded Router' Configuration. 

    I do have 5 static PUBLIC IP addresses which are passed down to the Sophos in this 'Cascaded Router' Configuration. These are shown under 'Additional Addresses' below (I'm only using two of them) and these are passed to LAN IP behind Sophos in DNAT configuration. Can I somehow use 1 of the remaining 3 so that I can access the Sophos SG externally and/or VPN externally ?

     

    Here are some settings on my ISP gateway/Router

    In this mode, (Cascaded Router), my public IP subnet is 'managed' by the sophos device. The ISP gateway does NAT from its WAN IP to the Sophos on 192.168.1.13.. 

     

    Alternatively, I could disable 'Cascaded Router' and assign 1 single WAN IP from my public block to the Sophos device BUT if I do that, my remaining 4 Public IP's can no longer be managed from within Sophos SG...

     

    How do I configure this so that I can access the SG Appliance VPN service from outside my network  as well as allow the Sophos SG to control my public IP subnet ?

     

  • 0 in reply to Clint Zeringue

    Hi Clint, 

    Your question is associated with the Sophos UTM. I request you to post it in the UTM form of the community. Skim reading the post, I would refer you to this article if that helps:

    https://community.sophos.com/kb/en-us/125796

    OR

    Please try the following command:

    cc change_object REF_IPsecPolicyCisco ipsec_auth_alg sha2_256_96

    Thanks

Reply Children
No Data