Hello Everyone,
Thank you in advanced for taking the time to look over this; I typically don't like to waste peoples time unless Ive spent a long time on it myself and I just cant figure it out. Also; please bear with me on the terrible picture I am a software engineer by trade and do not deal with networking very much at work and this is all for a long running home lab project.
The issue: I am running a Sophos UTM that I have deployed inside my visualization server. The last two weeks are my first experience with Sophos products so I am still testing everything and did not deploy it as my main firewall. I drew a very simply diagram attached to this post but essentially
I am running a dedicated PFsense box with 6 nics to which my FIOS connects and then breaks into 4 subsets (only two of which are displayed). The sophos UTM has 2 virtual NICs on that subnet a 'WAN' (10.10.10.100) and a 'LAN' (10.10.10.110).
My goal right now is to configure the Ipsec vpn and SSL vpn features on the sophos box so I am actually able to connect to the vpn servers from the outside of my network. I want to be able to connect to my network and be able to delegate access to various IP addresses inside the 10.10.10.0/24 subnet (my server subnet and location of the sophos box) and ips on the 10.10.20.0/24 subnet; this will be done based on user and group membership. I also want to expose the "User portal" for Sophos on the 10.10.10.100 IP along with all the VPN servers; while only allowing Admin Console access on the 10.10.10.110 IP.
Thus far I have not been able to get any of the VPN servers to actually function.. I have previously setup an OpenVPN Access Server in the same network layout and had not had issues but at this point I am at a lose. What seems to happen is the clients are able to "partially" connect to the VPN servers (SSL & IPsec) but communication gets lost.. I am stating that based on the errors I am seeing. Here is what I have setup so far:
Ipsec UDP 500 -> 500
L2TP UDP Any -> 1701
L2TP Triggering (Port Triggering) UDP Any -> 1701
PP2P TCP Any -> 1723
GRE
Remote Access: Ipsec
Interface: External (10.10.10.100)
Local Networks: Main LAN(10.10.10.0/24) and User Net (10.10.20.0/24))
Virtual IP pool: VPN Pool(IPsec)
Atomatic firewall rules enabled
Nat Traversal enabled
SSL:
Same basic configurations as IPsec
Interface: External
Protocol UDP
Port: 8443
Pool Network: VPN Pool(SSL)
Firewall:
VPN Pool(Both) ---> Any (Any)
Any ---> VPN Pool (Both)
NAT:
VPN Pool(Both) ---> External
On my PFsense box I have setup port forwarding to forward port 8443(UDP), 4500, 500, ESP and AH all to the "External" IP of the Sophos Box. I have also added the NAT routes for the 'VPN Pool' IP addresses on the PFsense box hoping that this would also allow VPN users to browse the internet. I have tried many configurations including currently where I have turned off the 'internal' port on my Sophos box, renamed the 'external' and left it as the only connection, changing all the forwarding, ect to that IP.. this does not help at all.
What ends up happening is the SSL VPN connection will process all of the authentication and essentially "hang" right after verifying the server certificate and CA. The IPSec client also attempts to authenticate but eventually fails with a timeout issue after getting half way. I feel as if something is wrong with the routing and I am essentially dropping packets. If you need a clarification on something please let me know. Thank you in advanced for your time!
EDIT: I am not sure how much this is going to help but here is an example log of what I am seeing when I try to connect:
This thread was automatically locked due to age.
