Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 20824 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access IPSec (Android <-???-> UTM <-> private LAN)

MichaelAbels

Hi,

I am quite new to Sophos and would need some help on Remote Access (IPSec). I'll try to explain my setup:

Before I setup VPN I checked ping between all the machines works fine.

[   Android(IPAddrA) <-> (IPAddrFext)Fritz(AddrFint) <--> (IPAddrRext)Router(IPAddrRint) <-> (IPAddrSext)Sophos(IPAddrSint) <-> internal network]

fritz is configured to do port forwarding for port 500, 4500

Now I have setup Remote Access VPN (IPsec, nat traversal, preshared keys, XAUTH, defined User) between Sophos and Android and the VPN is 

established.

...please let me know whether my following understanding is correct/wrong:

1) I see an SA established between IPAddrFext  and IpAddrSext.

    --> IPAddrFext is the remote tunnel endpoint and used instead of IPAddrA(10.242.4.1) because of nat traversal I assume, correct!?

2) ping from Android to private network (IPAddrSint) does not succeed over established VPN

    --> On the Router I use wireshark to decrypt the packets. I see the ping packets from Android over the tunnel with inner srcIp 10.242.4.1 and inner dstIp IPAddrSint as
          expected.

   --> On sophos I use tcpdump

              tcpdump -i any -n src host 213.196.249.130 ---> I see those encrypted packets

              tcpdump -i any -n src host 10.242.4.1 ---> I do not see any decrypted packets!?

  ..what else could I check or what am I missing?  

Thanks,
Michael



This thread was automatically locked due to age.
  • one more comment: the firewall logs to not show any packet drops......
  • yet another comment: I installed NCP vpn client on my android and everything works fine.....haven't found out yet what the difference is compared to built in vpn client of S6 android.

    Thanks anyway.....
  • Hi, Michael,

    Part of the problem might be that IPsec servers are tricky when they're behind a NATting router, but the fact that the NCP client works makes me think that that's not the issue.

    I don't know about Android, but the IPsec client in the iPhone works only with the Cisco Remote Access server.

    Cheers - Bob
    PS I can see that you worked hard to make certain that your description was complete, but I admit to getting lost. Rather than using "codes" like "IPAddrFext" when diagramming, use actual addresses that are obfuscated like 10.x.y.1, 172.16.x.2 and 81.x.y.54. That lets us see which addresses are public and private and makes it quicker&easier for us to understand what you're describing.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thank you. You are right. I noticed I couldn't follow it myself after half an hour :-).
    So, even though my problem is solved, the below is hopefully more understandable and might be useful for someone facing similar problem with Android built-in vpn client:

    (pls Note: In the following example I removed the 'Router' from original setup for simplification.
    Also the following scenario describes a setup where the Android is actually connected via cellular WAN rather than Wlan)

    network setup:

    Android <-> Radio Network <-.....................................-> Fritz <---- 192.x.y.0/24 ---> Sophos <---10.10.1.0/24--> internal
    10.x.y.151 [Nat->109.x.y.31] [Nat<-213.x.y.13] .1 .2 .1 .2

    outer tunnel endpoints:

    ......O------------------------------------tunnel---------------------------------------------O...............
    109.x.y.31 192.x.y.2

    encrypted inner IP:

    10.242.4.1...........................................encrypted inner IP ..........................................................................10.10.1.1


    1) fritz is configured to do port forwarding for port 500, 4500

    2) Configured Remote Access VPN (IPsec, nat traversal, preshared keys, XAUTH, defined User)
    between Sophos and Android(NCP vpn client)

    3) I see an SA established between 109.xy.31 and 192.x.y.2 and the Android is assigned 10.242.4.1 from pool.

    4) ping from Android (10.242.4.1) to private network address (10.10.1.2) succeeds.


    Same setup does not work with Android built-in vpn client.
    (Android Version 5.1.1)(kernel version 3.10.61).

    Thanks,
    Michael
  • in reply to MichaelAbels
    Hi again,

    I gave my best but now automatic formatting (removing spaces) got into my way....the network setup description became unreadable. :-(
  • in reply to MichaelAbels
    one more try:

    network setup:

    Android <-> Radio Access <-.................................-> Fritz <---- 192.x.y.0/24 ---> UTM <---10.10.1.0/24--> int.
    10.x.y.151--------[Nat->109.x.y.31] [Nat<-213.x.y.13]- .1----------------------- .2 -----.1 --------------------.2

    outer tunnel endpoints:

    109.x.y.31--------------------------------------tunnel-----------------------------192.x.y.2

    encrypted inner IP:

    10.242.4.1-------------------------------encrypted inner IP--------------------------------10.10.1.1

    --Michael
Unfiltered HTML