Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 20829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access IPSec (Android <-???-> UTM <-> private LAN)

MichaelAbels

Hi,

I am quite new to Sophos and would need some help on Remote Access (IPSec). I'll try to explain my setup:

Before I setup VPN I checked ping between all the machines works fine.

[   Android(IPAddrA) <-> (IPAddrFext)Fritz(AddrFint) <--> (IPAddrRext)Router(IPAddrRint) <-> (IPAddrSext)Sophos(IPAddrSint) <-> internal network]

fritz is configured to do port forwarding for port 500, 4500

Now I have setup Remote Access VPN (IPsec, nat traversal, preshared keys, XAUTH, defined User) between Sophos and Android and the VPN is 

established.

...please let me know whether my following understanding is correct/wrong:

1) I see an SA established between IPAddrFext  and IpAddrSext.

    --> IPAddrFext is the remote tunnel endpoint and used instead of IPAddrA(10.242.4.1) because of nat traversal I assume, correct!?

2) ping from Android to private network (IPAddrSint) does not succeed over established VPN

    --> On the Router I use wireshark to decrypt the packets. I see the ping packets from Android over the tunnel with inner srcIp 10.242.4.1 and inner dstIp IPAddrSint as
          expected.

   --> On sophos I use tcpdump

              tcpdump -i any -n src host 213.196.249.130 ---> I see those encrypted packets

              tcpdump -i any -n src host 10.242.4.1 ---> I do not see any decrypted packets!?

  ..what else could I check or what am I missing?  

Thanks,
Michael



This thread was automatically locked due to age.
Parents
  • Hi Bob,

    thank you. You are right. I noticed I couldn't follow it myself after half an hour :-).
    So, even though my problem is solved, the below is hopefully more understandable and might be useful for someone facing similar problem with Android built-in vpn client:

    (pls Note: In the following example I removed the 'Router' from original setup for simplification.
    Also the following scenario describes a setup where the Android is actually connected via cellular WAN rather than Wlan)

    network setup:

    Android <-> Radio Network <-.....................................-> Fritz <---- 192.x.y.0/24 ---> Sophos <---10.10.1.0/24--> internal
    10.x.y.151 [Nat->109.x.y.31] [Nat<-213.x.y.13] .1 .2 .1 .2

    outer tunnel endpoints:

    ......O------------------------------------tunnel---------------------------------------------O...............
    109.x.y.31 192.x.y.2

    encrypted inner IP:

    10.242.4.1...........................................encrypted inner IP ..........................................................................10.10.1.1


    1) fritz is configured to do port forwarding for port 500, 4500

    2) Configured Remote Access VPN (IPsec, nat traversal, preshared keys, XAUTH, defined User)
    between Sophos and Android(NCP vpn client)

    3) I see an SA established between 109.xy.31 and 192.x.y.2 and the Android is assigned 10.242.4.1 from pool.

    4) ping from Android (10.242.4.1) to private network address (10.10.1.2) succeeds.


    Same setup does not work with Android built-in vpn client.
    (Android Version 5.1.1)(kernel version 3.10.61).

    Thanks,
    Michael
Reply
  • Hi Bob,

    thank you. You are right. I noticed I couldn't follow it myself after half an hour :-).
    So, even though my problem is solved, the below is hopefully more understandable and might be useful for someone facing similar problem with Android built-in vpn client:

    (pls Note: In the following example I removed the 'Router' from original setup for simplification.
    Also the following scenario describes a setup where the Android is actually connected via cellular WAN rather than Wlan)

    network setup:

    Android <-> Radio Network <-.....................................-> Fritz <---- 192.x.y.0/24 ---> Sophos <---10.10.1.0/24--> internal
    10.x.y.151 [Nat->109.x.y.31] [Nat<-213.x.y.13] .1 .2 .1 .2

    outer tunnel endpoints:

    ......O------------------------------------tunnel---------------------------------------------O...............
    109.x.y.31 192.x.y.2

    encrypted inner IP:

    10.242.4.1...........................................encrypted inner IP ..........................................................................10.10.1.1


    1) fritz is configured to do port forwarding for port 500, 4500

    2) Configured Remote Access VPN (IPsec, nat traversal, preshared keys, XAUTH, defined User)
    between Sophos and Android(NCP vpn client)

    3) I see an SA established between 109.xy.31 and 192.x.y.2 and the Android is assigned 10.242.4.1 from pool.

    4) ping from Android (10.242.4.1) to private network address (10.10.1.2) succeeds.


    Same setup does not work with Android built-in vpn client.
    (Android Version 5.1.1)(kernel version 3.10.61).

    Thanks,
    Michael
Children
  • in reply to MichaelAbels
    Hi again,

    I gave my best but now automatic formatting (removing spaces) got into my way....the network setup description became unreadable. :-(
  • in reply to MichaelAbels
    one more try:

    network setup:

    Android <-> Radio Access <-.................................-> Fritz <---- 192.x.y.0/24 ---> UTM <---10.10.1.0/24--> int.
    10.x.y.151--------[Nat->109.x.y.31] [Nat<-213.x.y.13]- .1----------------------- .2 -----.1 --------------------.2

    outer tunnel endpoints:

    109.x.y.31--------------------------------------tunnel-----------------------------192.x.y.2

    encrypted inner IP:

    10.242.4.1-------------------------------encrypted inner IP--------------------------------10.10.1.1

    --Michael
Unfiltered HTML