This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Remote Access VPN not working

I am currently using Sophos UTM 9. I've never successfully been able to get the Remote Access VPN to work (I've searched the forums and followed documents). I currently have a Site-to-Site SSL VPN going which works fine. I can connect to the VPN successfully and get an IP, but I cannot ping or access anything on the internal network. I'm wondering if someone could help me diagnose the issue. Here is my setup:

- DHCP DSL connection with dynamic DNS address (Frontier in NC)
- Internal network is 192.168.1.x
- SSL Remote Access:
--- Internal (Network) [I've also tried Any]
--- Automatic firewall rules
--- Port 444
--- Pool network is VPN Pool (SSL)
- There are no firewall rules that are explicitly blocking related items

Here is what I have done and the results so far:
I've looked at the firewall logs and the only drops were going to DNS. I've since resolved that by adding my VPN Pool into the allowed connections for DNS. I see no errors in the Remote Access logs and it looks like it connects successfully.

I cannot ping any of the internal network address, including the gateway address for the Remote Access connection (10.242.2.5). However, I can ping from the UTM to the remote access IP address (10.242.2.6) successfully. I can also ping from internal machines to the remote device successfully.

I have tried this from a Windows 7 computer, Windows 10, and Android, all with the same results.

Is there something else I can test? A setting I can check?

This thread was automatically locked due to age.

Parents

0 JW0914_01 over 9 years ago
I compared your conf to mine and minus the IP/port #, everything is the same.  I doubt you're receiving any errors in the vpn log, as verb is set to 3, but I would check it anyways.

In order to fully troubleshoot, verb needs to be set to a minimum of 7, so this is where you have a decision to make... if you have paid sophos support, I'd use it, as your only option would be to manually change the verb to 7 in openvpn.conf-default, disable, then re-enable vpn profile(s).

Sophos clearly states

If not explicitly approved by Sophos support, any modifications done by root will void your support.

and while you could change the verb back to 3 after troubleshooting, I'm not sure if Sophos support is able to track cli changes if the changes were reverted back to their defaults.  If you do decide to edit via the cli, prior to doing so, ensure the firewall rules on the remote device are not the issue, as my hunch is it's some sort of firewall issue on the remote device; however, due to Sophos' custom application of openvpn by confd, it's harder to troubleshoot what normally would be a fairly easy problem to troubleshoot and fix.  Have you tried disabling web filtering to see if that's the cause (although it's odd you're not seeing any dropped packets in the firewall log).

Also, is the vpn connecting two Sophos boxes (site-to-site) or a sophos box to a non-sophos remote device (remote access)?  If it's site-to-site, disable web filtering on both and compare the firewall logs of both devices when you make an attempt to access the local network of the remote device.  Ensure Enable debug mode is ticked under Site-to-Site - SSL - Advanced or Remote Access - SSL - Advanced

I haven't had much time to work on Sophos' openvpn implementation, however I do know from the little I've used it, I much prefer the OpenVPN VPN I have set up through OpenWRT on my WRT1900.  Earlier when I was testing mine as a reference point, I could access certain devices on my network, like my printer and AV receiver, but couldn't get a connection through to my FreeNAS server via CIFS, even though the firewall log clearly showed the packet was allowed to pass.  To verify it wasn't my FreeNAS server, I connected to the OpenVPN servers (I run 2) on my WRT1900 and was able to connect and view my CIFS shares just fine.

Just to reiterate, if you have paid support, I would highly recommend using it, as the only way I know of to troubleshoot your issue would be by looking at the OpenVPN logs with verb set to 7 (anything lower leaves out crucial information, while anything higher provides information not needed) on both the server and the client (client is easy to modify since you can modify the ovpn file in any text editor).

Edit the client ovpn file, add the options below, then reconnect with it

verb 7
float
preresolve

It may or may not accept the preresolve option, so if it causes an issue, remove it

You'll need to then pull up the client vpn log and compare it to the two firewall logs from above when you attempt to access the local network of the remote device.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 JW0914_01 over 9 years ago
I compared your conf to mine and minus the IP/port #, everything is the same.  I doubt you're receiving any errors in the vpn log, as verb is set to 3, but I would check it anyways.

In order to fully troubleshoot, verb needs to be set to a minimum of 7, so this is where you have a decision to make... if you have paid sophos support, I'd use it, as your only option would be to manually change the verb to 7 in openvpn.conf-default, disable, then re-enable vpn profile(s).

Sophos clearly states

If not explicitly approved by Sophos support, any modifications done by root will void your support.

and while you could change the verb back to 3 after troubleshooting, I'm not sure if Sophos support is able to track cli changes if the changes were reverted back to their defaults.  If you do decide to edit via the cli, prior to doing so, ensure the firewall rules on the remote device are not the issue, as my hunch is it's some sort of firewall issue on the remote device; however, due to Sophos' custom application of openvpn by confd, it's harder to troubleshoot what normally would be a fairly easy problem to troubleshoot and fix.  Have you tried disabling web filtering to see if that's the cause (although it's odd you're not seeing any dropped packets in the firewall log).

Also, is the vpn connecting two Sophos boxes (site-to-site) or a sophos box to a non-sophos remote device (remote access)?  If it's site-to-site, disable web filtering on both and compare the firewall logs of both devices when you make an attempt to access the local network of the remote device.  Ensure Enable debug mode is ticked under Site-to-Site - SSL - Advanced or Remote Access - SSL - Advanced

I haven't had much time to work on Sophos' openvpn implementation, however I do know from the little I've used it, I much prefer the OpenVPN VPN I have set up through OpenWRT on my WRT1900.  Earlier when I was testing mine as a reference point, I could access certain devices on my network, like my printer and AV receiver, but couldn't get a connection through to my FreeNAS server via CIFS, even though the firewall log clearly showed the packet was allowed to pass.  To verify it wasn't my FreeNAS server, I connected to the OpenVPN servers (I run 2) on my WRT1900 and was able to connect and view my CIFS shares just fine.

Just to reiterate, if you have paid support, I would highly recommend using it, as the only way I know of to troubleshoot your issue would be by looking at the OpenVPN logs with verb set to 7 (anything lower leaves out crucial information, while anything higher provides information not needed) on both the server and the client (client is easy to modify since you can modify the ovpn file in any text editor).

Edit the client ovpn file, add the options below, then reconnect with it

verb 7
float
preresolve

It may or may not accept the preresolve option, so if it causes an issue, remove it

You'll need to then pull up the client vpn log and compare it to the two firewall logs from above when you attempt to access the local network of the remote device.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data