Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 20837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access IPSec (Android <-???-> UTM <-> private LAN)

MichaelAbels

Hi,

I am quite new to Sophos and would need some help on Remote Access (IPSec). I'll try to explain my setup:

Before I setup VPN I checked ping between all the machines works fine.

[   Android(IPAddrA) <-> (IPAddrFext)Fritz(AddrFint) <--> (IPAddrRext)Router(IPAddrRint) <-> (IPAddrSext)Sophos(IPAddrSint) <-> internal network]

fritz is configured to do port forwarding for port 500, 4500

Now I have setup Remote Access VPN (IPsec, nat traversal, preshared keys, XAUTH, defined User) between Sophos and Android and the VPN is 

established.

...please let me know whether my following understanding is correct/wrong:

1) I see an SA established between IPAddrFext  and IpAddrSext.

    --> IPAddrFext is the remote tunnel endpoint and used instead of IPAddrA(10.242.4.1) because of nat traversal I assume, correct!?

2) ping from Android to private network (IPAddrSint) does not succeed over established VPN

    --> On the Router I use wireshark to decrypt the packets. I see the ping packets from Android over the tunnel with inner srcIp 10.242.4.1 and inner dstIp IPAddrSint as
          expected.

   --> On sophos I use tcpdump

              tcpdump -i any -n src host 213.196.249.130 ---> I see those encrypted packets

              tcpdump -i any -n src host 10.242.4.1 ---> I do not see any decrypted packets!?

  ..what else could I check or what am I missing?  

Thanks,
Michael



This thread was automatically locked due to age.
Parents
  • Hi, Michael,

    Part of the problem might be that IPsec servers are tricky when they're behind a NATting router, but the fact that the NCP client works makes me think that that's not the issue.

    I don't know about Android, but the IPsec client in the iPhone works only with the Cisco Remote Access server.

    Cheers - Bob
    PS I can see that you worked hard to make certain that your description was complete, but I admit to getting lost. Rather than using "codes" like "IPAddrFext" when diagramming, use actual addresses that are obfuscated like 10.x.y.1, 172.16.x.2 and 81.x.y.54. That lets us see which addresses are public and private and makes it quicker&easier for us to understand what you're describing.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Michael,

    Part of the problem might be that IPsec servers are tricky when they're behind a NATting router, but the fact that the NCP client works makes me think that that's not the issue.

    I don't know about Android, but the IPsec client in the iPhone works only with the Cisco Remote Access server.

    Cheers - Bob
    PS I can see that you worked hard to make certain that your description was complete, but I admit to getting lost. Rather than using "codes" like "IPAddrFext" when diagramming, use actual addresses that are obfuscated like 10.x.y.1, 172.16.x.2 and 81.x.y.54. That lets us see which addresses are public and private and makes it quicker&easier for us to understand what you're describing.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?