Please Provide me with a Step by Step Firewall Rule Creaton Tutorial for l2tp/IPsec remote access

Jacob,

welcome to community. Here the Sophos KB on how to create an L2TP server on your XG and make your MAC able to establish a IPSec connection to it.

https://community.sophos.com/kb/en-us/125446

Follow the guide and let us know if you need more help.

Regards

i did follow the setup guide exactly and ended up with this two error messages in the log, besides of that there is no explanation about port forwarding.... or is this done automagically in the sophos xg ? :D

thanks for your reply anyways

Jacob,

the port forwarding is automatically opened by the XG. You have to make sure that XG on WAN interface is using Public IP otherwise you have to port forward traffic from upstream device to your XG WAN IP.

Can you share the L2TP logs from console? The command should be:

show VPN L2TP logs (sorry I am not at home/office).

Thanks

the listening on 0.0.0.0 look suspicious :D

Please share with some screenshots the IPSec configuration you have done on your XG.

Thanks

sorry for the german interface ( i just overtook the administration of this firewall and didnt even found the language change option yet..... )

thanks for your help

N1ete,

send me a PM and I will have a look at your XG.

Regards

N1ete,

send me a PM and I will have a look at your XG.

Regards

Hi Luk,

I have exactly the same issue trying to setup IPSEC between XG and Fortinet. Any idea how to get around this issue? Appreciate your help.

Thank you.

Posh,

Have a look at this thread:

Regards

Thank you for your reply Luk. I changed the algorithm however still getting the same error in XG. Not sure if there is something else I'm missing here :(

Posh,

You can try to restart vpn service using console. If it does not help, open a ticket with support and let us know.

Regards

That did not help either. I will open a support ticket.

Regards,

Posh

I would look at these things if your tunnel is ipsec,  i have not configure l2tp but i have around 10 ipsec policies on  my xg that i have had to configure multiple times due to changing the device host name, bridge the wan port, and changing the xg gateway and bridge mode.

If the wan ip is different from  the public ip you need to add aliase for your other public ips with \32 subnet.  May not be necessary but you might check it if your policy depends on a different wan gateway.

Enter ipsec profile carefully

Create ipsec policy and select the ipsec profile

Set key to auto connect or something like that

Make sure the encryption settings match up with the other side of the tunnel.

I have typed the passcode key wrong before...

Make sure you click on the red circles and hope they turn green. When light is green you can see what parts of your ipsec connection is working which is pretty cool.

If the vpn depends on a static route it won't work.

If you have stateless and stateful traffic going back and forth you might have to look into bypass stateful traffic as last resort.

Also every host needs to be entered one at a time in the allow access to, you can't put a group host object in the settings.

I currently have a problem with needing ipsec policies and have 3 hosted routers from our datacenter that i don't know what to do with yet, but i got building ipsec VPN policies down!

Thank you for all your responses. Finally got it working with the help of sophos support. Fortigate unit was behind nat so the remote address had to be entered into remote ID in order to allow. Had to make fortigate and Sophos to use AES128/256 MD5 and 2DES MD5. All worked after making the changes. Thank you again for your support.