Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 5213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Masquerade not working

Astaronator
Hey all,

I have IPSec configured and am testing the 30-day trial of Sophos IPSec Client. 

I have the IPSec rule set up as x509 and AES256. I can connect using the user profile and certificate no problem, but I can't get the masquerading to work.

I am able to browse local web servers fine, but my ipchicken is showing my air card IP, not the office network's IP.

User receives IP from VPN Pool (IPSec).

My Masq rule is:
Joe (UserNetwork)
Position 1
External (WAN)
>

UTM version: 9.107-33

Any help is appreciated [:$]


This thread was automatically locked due to age.
  • 0
    Firewall rule?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi,

    The routes aren't getting set right on your client.

    1. Do you have 'ANY' in the Local Networks on the UTM's VPN configuration?

    2. are you running the VPN client with admin rights?

    Barry
  • 0 in reply to BAlfson
    Thanks for responding. Bob and Barry! Wow I feel honoured!

    Firewall Rule:
    Only 1. Joe (User Network) > WebSurfing, Email, etc... > Any

    1. Do you have 'ANY' in the Local Networks on the UTM's VPN configuration?
    No. It's Internal Network

    2. are you running the VPN client with admin rights?
    Yes. Logged in as an administrator on the laptop too.

    See attached screenshots...

    I also updated to v9.108-23 last night FYI.
  • 0
    Try to add "Internet IPv4" (that's more safe than any) in the Local Networks for the VPN connection. 
    If you add that, the VPN client will be able to reach IP's on the outside, otherways it will only be able to reach internal addresses.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    I'mn not sure I understand what you mean apijnappels.

    I don't have "Any" in the Local Networks for VPN connection. I have "Internal (Network)"
  • 0
    Yes, but if you want your vpn clients to have internet access through the VPN tunnel then you need to have that in your tunnel. Now your tunnel will only allow traffic to the Internal network and nothing else.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    Ah I understand now sorry.

    I don't have a definition for "Internet IPv4".

    I did try External (WAN) and that didn't work.

    I also tried "Any". When I use "Any" just to see if it works, however the VPN tunnel won't establish. I get the message "IKE(phase 2) - Waiting for Msg 2" on the client.
  • 0
    There's an object named "Internet" that apijnappels wants you to add.  

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Ah sorry I missed that... I don't know why. Getting ramped up for vacation in DR next week as long as I can get this fixed before I leave.

    So I added the "Internet" object. Now all that are listed under "Local Networks" is Internal & Internet.

    I am able to connect to the VPN again, but still no masqueraded IP address. Still showing the air-card IP.
  • 0
    Okay I solved it...

    It seemed to be the user accounts. While I tried with 2 different users, the accounts I was using were old test accounts. They had email changes, password changes and I think they may even existed before I re-generated my Root CA.

    All that to say, I created a brand new account, tested with just Internet... then Internet and Internal. Worked beautifully.

    This thread here from way back in 2009 made me realize the "IKE(phase 2) - Waiting for Msg 2" was an X509 cert error.

    I hope this helps someone else in the future. When in doubt... try a new user account!
Unfiltered HTML