Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 3494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Empty Subnet IPSEC

allandresner
Hi everyone,

Setup IPSEC VPN for a single Mac Client, IP, Gateway, and DNS information being passed along but Subnet is empty.  I can ping IPs across the VPN, but no DNS resolution or other services possible, presumably without the gateway.  

Settings:
Firewall Rule
VPN Pool (L2TP) -> Any -> Internal Network

Definitions:
VPN Pool (L2TP)
10.242.3.0/24

LAN:
192.168.1.0/24

Remote Access: 
L2TP over IPsec
Interface: Uplink Interfaces
Authen Mode: Preshared Key
Assign IP address by: IP address pool
Pool Network: VPN Pool (L2TP)

Advanced:
DNS settings filled out

I presume it's something to do with rules and the VPN pool.  Any help is appreciated...thanks!


This thread was automatically locked due to age.
  • 0
    Advanced:
    DNS settings filled out

    Please explain.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    If your DNS-server is a public one (on the internet), then you need to masquerade the VPN pool and also add the Internet IPv4 and or IPv6 network definitions in your VPN-subnets.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to BAlfson
    Please explain.

    Cheers - Bob


    Thank you, sure...

    DNS: 
    Primary and Secondary DNS are pointed to 2 Domain Controllers on my LAN.

    So while the connected via VPN device can ping the IP of the Domain Controller across the VPN, DNS resolution is not working.  I also tried to connect to a remote desktop session across the VPN using the FQDN and the IP of the remote desktop and the service did not work.  

    Thank you
  • 0 in reply to apijnappels
    If your DNS-server is a public one (on the internet), then you need to masquerade the VPN pool and also add the Internet IPv4 and or IPv6 network definitions in your VPN-subnets.


    Private DNS, do I need any masquerading rules in that case?
  • 0 in reply to allandresner
    Stupid question but do you have access control for your DNS on the DNS Server (which IPs can send queries to the DNS).

    Also try to do the following from shell or command prompt:
    nslookup
    server IP
    set type=A
    Google

    Replace the IP with the IP address of your DNS server. Post the results.
  • 0
    Thank you for thinking about that detail, no, I do not have access control for my DNS servers.

    Here are the NSLOOKUP results:
    MBA11:~ adresner$ nslookup
    > 192.168.1.10
    Server: 192.168.1.3
    Address: 192.168.1.3#53

    10.1.168.192.in-addr.arpa name = dc2-12r2.mydomain.com.
    > ^C
    MBA11:~ adresner$ ping LINCOLN
    ping: cannot resolve LINCOLN: Unknown host
    MBA11:~ adresner$ nslookup
    > 8.8.8.8
    Server: 192.168.1.10
    Address: 192.168.1.10#53

    Non-authoritative answer:
    8.8.8.8.in-addr.arpa name = google-public-dns-a.google.com.

    Authoritative answers can be found from:
  • 0 in reply to allandresner
    Private DNS, do I need any masquerading rules in that case?


    Not if they are in a subnet that's already part of your VPN subnet(s). You do have to make firewall rules however.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Update:
    I believe this is about my rules.

    Firstly, I adjusted my Masqerading rule:
    VPN Pool (L2TP) --> Internal Network


    Opened up the live firewall log and saw this:

    16:34:36 Default DROP L2TP  10.242.3.2:56389→ 17.172.238.205 :5223  [SYN] len=64 ttl=63 tos=0x00 srcmac=0:7:e9:3:3:76
    16:34:36 Default DROP L2TP  10.242.3.2:56381→ 17.172.232.12:5223  [SYN] len=64 ttl=63 tos=0x00 srcmac=0:7:e9:3:3:76

    So I created a firewall rule:
    VPN Pool (L2TP) Any Any and those DROPS went away, leaving the following drops:

    16:35:28 Default DROP UDP   10.242.3.2:5353→10.242.3.1:5351   len=88 ttl=255 tos=0x00

    16:35:28 Default DROP SSDP  10.242.3.2:54378→ 10.242.3.1:1900    len=156 ttl=255 tos=0x00

    I am able to do RDP but only via IP, DNS is still not resolving.  My email is coming in via mail.app which is connected to my exchange server.  iCloud account is not working, clearly needs DNS to get going...

    So getting closer, just need to get DNS working!
  • 0
    Adjusted a firewall rule regarding DNS, allowing the VPN network to talk DNS with the DNS server group...and we are good to go.
  • 0
    Hi, Allan, and a belated welcome to the User BB!

    Firstly, I adjusted my Masqerading rule:
     VPN Pool (L2TP) --> Internal Network

    Check your Network and Host definitions for ones that violate #3 in Rulz.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML