IPSec VPN Clients and SSL-VPN Clients

Hey SophosNewby 

Did you mean concurrently? SSL VPN Remote Access and IPsec Remote Access can definitely be implemented on the same appliance. They both use different methods and ports for providing remote access to users. Check out the following articles for assistance. SSL VPN Remote Access and IPsec Remote Access (Page 215).

Regards,

FloSupport | Community Support Engineer

I did mean concurrently, thank you. Yes I have both configurations setup, in fact, SSL-VPN has been working excellent, unfortunately it fails to work from our China location so I was trying to setup IPSEc remote access for staff to test that setup. Prior to our Sophos XG upgrade we had our China staff running IPSec remote connections and worked as well as it could. I do have a support ticket on the issue as when I try to connect the IPSec client I am getting a licensing error and at first support staff had said I cannot have both IPSEc and SSL clients connecting concurrently. But they have got back to me to say it should work so I am still working thru support but the biggest stumbling block has been, aside from the manual, there is not one article I have found how to actually set up remote access using IPSec other than site to site. So I have kind of followed those setups to some extent, This is my output while trying to run the IPSec client. So this is what we are working with, can't get past Phase 1.

2018-01-23 8:24:14 AM - IPSec: Start building connection
2018-01-23 8:24:14 AM - IpsDial: connection time interface choice,LocIpa=192.168.0.150,AdapterIndex=202
2018-01-23 8:24:14 AM - Ike: Outgoing connect request MAIN mode - gateway=198.x.x.x : Home VPN
2018-01-23 8:24:14 AM - Ike: XMIT_MSG1_MAIN - Home VPN,vpngw=198.x.x.x:500
2018-01-23 8:24:14 AM - Ike: RECV_MSG2_MAIN - Home VPN
2018-01-23 8:24:14 AM - Ike: IKE phase I: Setting LifeTime to 86400 seconds
2018-01-23 8:24:14 AM - Ike: Turning on HYBRID XAUTH mode - Home VPN
2018-01-23 8:24:14 AM - Ike: IkeSa negotiated with the following properties -
2018-01-23 8:24:14 AM - Authentication=HXAUTH_INIT_RSA,Encryption=AES,Hash=SHA_256,DHGroup=14,KeyLen=256
2018-01-23 8:24:14 AM - Ike: Home VPN ->Support for NAT-T version - 9
2018-01-23 8:24:14 AM - Ike: Turning on IKE fragment mode - Home VPN
2018-01-23 8:24:14 AM - IPSec: Final Tunnel EndPoint is=198.x.x.x
2018-01-23 8:24:14 AM - Ike: phase1:name(Home VPN) - ERROR - SOPHOS LICENSING ERROR
2018-01-23 8:24:14 AM - IPSec: Disconnected from Home VPN on channel 1.

Hi SophosNewby 

I've sent you a PM so that we can continue working on this.

Regards,

FloSupport | Community Support Engineer

Thank you, it is the Sophos IPSec client that is the problem, not my configuration. Going with another product, that is cheaper and actually works.

Thank you, it is the Sophos IPSec client that is the problem, not my configuration. Going with another product, that is cheaper and actually works.

Hello,

What is the Sophos IPsec client are you referring to? Is this the Sophos Connect Client? Please use Sophos Connect 2.0 EAP1 that is available to connect using either IPsec or SSL VPN. In fact if you Sophos Connect Client with SSL VPN, it can Auto provision the SSL VPN policy. So you configure both types of remote access policy on XG. For IPsec you still have to either push the policy using GPO or out of band. But for SSL VPN, the client can download the policy from the user portal using the provisioning file. 

Please let us know if you have any problems with getting it to work.

Ramesh