Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 5300 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access L2TP over IPSec

vikino
Hello,
i've enabled Remote Access on my UTM, but im not able to connect, it is working when i set up firewall rule from Any - service Any - WAN intefrace, it seems to me that some firewall rule needs to be created to open listen ports, am i right? In this How To http://www.sophos.com/en-us/medialibrary/PDFs/documentation/utm90_Remote_Access_Via_L2TP_geng.pdf is nothing about firewall rule from WAN...

Do i need to create Firewall rule manually, or is something wrong?

V.


This thread was automatically locked due to age.
  • 0
    No firewall rule should be necessary.  Make sure that debug is DISabled, open the IPsec Live Log and try to connect.  Show us the lines from a single connection attempt.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Bob,
    so...first problem was anywhere in certificates, because i renamed UTM and it did some crap at all, so i made fresh install, debug is disabled, here are the lines from log, im trying to connect from Android 4.4.2 phone...

    2014:07:15-21:49:56 home pluto[5477]: "L_for admin"[11] 46.135.105.3:41784 #107: received Delete SA(0x049d36b2) payload: deleting IPSEC State #108
    2014:07:15-21:49:56 home pluto[5477]: "L_for admin"[11] 46.135.105.3:41784 #107: deleting connection "L_for admin"[4] instance with peer 46.135.105.3 {isakmp=#0/ipsec=#0}
    2014:07:15-21:49:56 home pluto[5477]: "L_for admin"[11] 46.135.105.3:41784 #107: received Delete SA payload: deleting ISAKMP State #107
    2014:07:15-21:49:56 home pluto[5477]: "L_for admin"[11] 46.135.105.3:41784: deleting connection "L_for admin"[11] instance with peer 46.135.105.3 {isakmp=#0/ipsec=#0}
    2014:07:15-21:50:01 home pluto[5477]: packet from 46.135.105.3:55063: received Vendor ID payload [RFC 3947]
    2014:07:15-21:50:01 home pluto[5477]: packet from 46.135.105.3:55063: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2014:07:15-21:50:01 home pluto[5477]: packet from 46.135.105.3:55063: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2014:07:15-21:50:01 home pluto[5477]: packet from 46.135.105.3:55063: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2014:07:15-21:50:01 home pluto[5477]: packet from 46.135.105.3:55063: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2014:07:15-21:50:01 home pluto[5477]: packet from 46.135.105.3:55063: received Vendor ID payload [Dead Peer Detection]
    2014:07:15-21:50:01 home pluto[5477]: "L_for admin"[12] 46.135.105.3:55063 #115: responding to Main Mode from unknown peer 46.135.105.3:55063
    2014:07:15-21:50:01 home pluto[5477]: "L_for admin"[12] 46.135.105.3:55063 #115: NAT-Traversal: Result using RFC 3947: peer is NATed
    2014:07:15-21:50:02 home pluto[5477]: "L_for admin"[12] 46.135.105.3:55063 #115: Peer ID is ID_IPV4_ADDR: '10.23.104.246'
    2014:07:15-21:50:02 home pluto[5477]: "L_for admin"[13] 46.135.105.3:55063 #115: deleting connection "L_for admin"[12] instance with peer 46.135.105.3 {isakmp=#0/ipsec=#0}
    2014:07:15-21:50:02 home pluto[5477]: "L_for admin"[13] 46.135.105.3:55063 #115: Dead Peer Detection (RFC 3706) enabled
    2014:07:15-21:50:02 home pluto[5477]: | NAT-T: new mapping 46.135.105.3:55063/41784)
    2014:07:15-21:50:02 home pluto[5477]: "L_for admin"[13] 46.135.105.3:41784 #115: sent MR3, ISAKMP SA established
    2014:07:15-21:50:02 home pluto[5477]: "L_for admin"[13] 46.135.105.3:41784 #115: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2014:07:15-21:50:03 home pluto[5477]: "L_for admin"[5] 46.135.105.3:41784 #116: responding to Quick Mode
    2014:07:15-21:50:03 home pluto[5477]: "L_for admin"[5] 46.135.105.3:41784 #116: IPsec SA established {ESP=>0x039c4dea 
  • 0
    Please add the lines after those that relate to the L2TP establishment for this attempt.  You do need firewall rules to allow traffic from "VPN Pool (L2TP)" to transit the UTM, 'VPN Pool (L2TP) -> Web Surfing -> Internet : Allow' for example.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Bob,
    there are no other lines, otherwise i would past them here...:-/ That is strange, it ends on IPSec SA Established and that was...and phone ends with Unsuccessfull connection od Disconnected state...
  • 0
    Also i have tryied to configure IPSec VPN...From mobile network im not able to connect, if i try to connect from wifi on the same lan as UTM lan interface is, then is connects without problem to IPSec RSA with Xauth...
  • 0
    Probably, the L2TP Client is not configured correctly.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bob there is nothing wrong to configure, just server IP/DNS name and PSK, then username and pass, im able to connect from the phone to Kerio Control as well to ZyXel ZyWall USGs without any problems, just Sophos UTM makes those troubles :-( IPSec SA established and then hang and disconnect...
  • 0
    Click on [Go Advanced] and attach a picture of the 'Security' tab of 'Properties' for the Windows L2TP client.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bob, Windows client connects without problem, thats fine, but im in trouble with Android device...
Unfiltered HTML