Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 10871 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access - IPsec (Cisco Client & Shrewsoft Client

Louis-M

I've been playing about with these for a few days and I'm getting stumped a little.

The only way I can connect both clients is by placing an "Any IPv4" or "Any" in the local networks tab.
That then gives the remote client access to all (as you would expect)

However, the issue is......... I've not put any firewall rules in to allow it!! 

Using a Preshared Key
If I use a preshared key, I don't get any option to allow automatic firewall rules. Nothing. So I can only assume it puts them in although I can't see them under any rule (manual or automatic). So not quite sure whats going on there. If I place a manual firewall rule at the top with the source of the remote ipsec vpn pool, any service, anywhere, block, it doesn't have any effect?? That's serious stuff!

If I use a certificate
If I use a certificate, I get the option to use automatic firewall rules. If I choose not to (ie leave it unticked), access is granted to everything as above. So that's not right either.

If I use a more restrictive network (rather than any)
Both clients won't connect as there is no policy for 0.0.0.0/0. I can also use "internet" instead of "Any" but get the same results ie access to everything

I'm stuck and can't use IPsec (which I need to use) and can't understand why a remote client can bypass the top firewall rule which is set to block anything coming from it?



This thread was automatically locked due to age.
Parents
  • 0

    Further to this, I tried the same setup with with SSL and it works as it should. So its definitely an issue with the IPsec.

    Could do with a link directly from remote access tabs into the logging tab though. Sometimes I want to see a little more detail than it shows

  • 0 in reply to Louis-M

    Louis, look first at #2 in Rulz to understand why your manual firewall rule couldn't block a packet already allowed in the Remote Access definition.

    I don't have a Shrewsoft client handy, but the Cisco client works fine in my iPhone with only "Internal (Network)" in 'Local Networks'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    as I understand it:

    it doesn't really matter what I put in the local networks if I don't tick "automatic firewall" rules. By not ticking "automatic firewall" rules, you have to create your own to allow/disallow traffic

    So in the above case, I'm finding that I can only get access with "any" or "internet" in the local networks. Anything else and the Ipsec tunnel won't come up.
    When It does come up with "any" or "internet" and without any automatic firewall rules or manual rules, the remote user can access all.

    This isn't the Cisco client option on the firewall. This is the ipsec section. SSL works as expected and maybe the Cisco Client too but ipsec certainly doesn't.

  • 0 in reply to Louis-M

    Just following up on this one. Have to say I'm not that impressed with Sophos (Premium??) support. Been a week now without any pointers. The silence is deafening!

    You can see in the screenshots below that no automatic firewall rules are offered. Even if you do select them, they are no good and are overrode.


    The above one offers firewall rules if a certificate is used. They don't work though!


    This one doesn't offer automatic firewall rules if you use a preshared key

    As with both above, I have to enter "internet" or "any". If i enter a subnet eg 10.1.1.0/24, the ipsec tunnel won't come up full stop and fails at phase 2.

    This only affects IPsec, not the Cisco client or SSL

  • 0 in reply to Louis-M

    And...... due to the firewall rules not having any effect, I can't limit access via rules & time of day eg only allow ACME support access to HOST A during weekday work hours etc.

Reply Children
No Data
Unfiltered HTML