Remote access - IPsec (Cisco Client & Shrewsoft Client

Further to this, I tried the same setup with with SSL and it works as it should. So its definitely an issue with the IPsec.

Could do with a link directly from remote access tabs into the logging tab though. Sometimes I want to see a little more detail than it shows

Louis, look first at #2 in Rulz to understand why your manual firewall rule couldn't block a packet already allowed in the Remote Access definition.

I don't have a Shrewsoft client handy, but the Cisco client works fine in my iPhone with only "Internal (Network)" in 'Local Networks'.

Cheers - Bob

Hi Bob,

as I understand it:

it doesn't really matter what I put in the local networks if I don't tick "automatic firewall" rules. By not ticking "automatic firewall" rules, you have to create your own to allow/disallow traffic

So in the above case, I'm finding that I can only get access with "any" or "internet" in the local networks. Anything else and the Ipsec tunnel won't come up.
When It does come up with "any" or "internet" and without any automatic firewall rules or manual rules, the remote user can access all.

This isn't the Cisco client option on the firewall. This is the ipsec section. SSL works as expected and maybe the Cisco Client too but ipsec certainly doesn't.

Just following up on this one. Have to say I'm not that impressed with Sophos (Premium??) support. Been a week now without any pointers. The silence is deafening!

You can see in the screenshots below that no automatic firewall rules are offered. Even if you do select them, they are no good and are overrode.

The above one offers firewall rules if a certificate is used. They don't work though!

This one doesn't offer automatic firewall rules if you use a preshared key

As with both above, I have to enter "internet" or "any". If i enter a subnet eg 10.1.1.0/24, the ipsec tunnel won't come up full stop and fails at phase 2.

This only affects IPsec, not the Cisco client or SSL

And...... due to the firewall rules not having any effect, I can't limit access via rules & time of day eg only allow ACME support access to HOST A during weekday work hours etc.

"If i enter a subnet eg 10.1.1.0/24, the ipsec tunnel won't come up full stop and fails at phase 2."

Louis, can you show us the 50-60 lines from the log for a single connection attempt?

Cheers - Bob

Here is a log that doesn't allow me to connect. This one is restricting the network to 10.1.1.0/24

 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [RFC 3947]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [Dead Peer Detection]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [Cisco-Unity]
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[1] 111.222.333.444 #4: responding to Main Mode from unknown peer 111.222.333.444
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[1] 111.222.333.444 #4: NAT-Traversal: Result using RFC 3947: peer is NATed
2016:08:09-18:20:51 gw01-1 pluto[7031]: | NAT-T: new mapping 111.222.333.444:500/4500)
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[1] 111.222.333.444:4500 #4: Peer ID is ID_IPV4_ADDR: '192.168.254.200'
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: deleting connection "S_SUPPORT_MYSUPPORT"[1] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Dead Peer Detection (RFC 3706) enabled
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sent MR3, ISAKMP SA established
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: parsing ModeCfg request
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: peer requested virtual IP %any
2016:08:09-18:20:51 gw01-1 pluto[7031]: acquired existing lease for address 10.242.4.1 in pool 'VPN Pool (IPsec)'
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: assigning virtual IP 10.242.4.1 to peer
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending ModeCfg reply
2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sent ModeCfg reply, established
2016:08:09-18:20:51 gw01-2 pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500
2016:08:09-18:20:55 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
2016:08:09-18:20:55 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500
2016:08:09-18:20:57 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x264463ad (perhaps this is a duplicated packet)
2016:08:09-18:20:57 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:00 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x23ee3e6f (perhaps this is a duplicated packet)
2016:08:09-18:21:00 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:02 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x264463ad (perhaps this is a duplicated packet)
2016:08:09-18:21:02 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:05 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x23ee3e6f (perhaps this is a duplicated packet)
2016:08:09-18:21:05 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:07 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x264463ad (perhaps this is a duplicated packet)
2016:08:09-18:21:07 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:10 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x23ee3e6f (perhaps this is a duplicated packet)
2016:08:09-18:21:10 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:11 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
2016:08:09-18:21:11 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500
2016:08:09-18:21:16 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x9233fb68 (perhaps this is a duplicated packet)
2016:08:09-18:21:16 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
2016:08:09-18:21:21 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: received Delete SA payload: deleting ISAKMP State #4
2016:08:09-18:21:21 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
2016:08:09-18:21:21 gw01-2 pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}

The main line is:

pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500

The main line is:

pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500

Louis, see if my post from four years ago applies.  I had to scratch my head a bit on this one as that error is one that is not uncommon when configuring IPsec site-to-site connections.

Cheers - Bob

Hi Bob,

many thanks for still replying and looking. Better than Sophos "Premium" support which shall we say is a little lacking to say the least. If that is their premium support, they are lucky they haven't been sued!

Anyway, your reply wouldn't be far out and I'd already tried this.

1. I can actually limit the client to a subnet if I put that subnet AND internet in the local networks on the UTM.

2. If I put a manual firewall rule in at the top (as it doesn't offer auto) to limit the ipsec client to a specific host on that subnet set in the UTM, it doesn't have an effect. The ipsec client can reach everything on that subnet.

3. If I just put the host in that I want it restricted to eg 10.1.1.100/32 on the UTM (as well as internet as I have to put this in for the tunnel come up), the ipsec client can still reach everything on that subnet eg 10.1.1.0/24. Add a firewall rule again and it doesn't matter.

It's really strange and still waiting for Sophos PREMIUM support to answer after 6 weeks!! They pop in from time to time, have a look and off they go. Not a word!

Louis, the only real difference between Premium and Standard support is that you can open your own support ticket instead of going through your reseller - it's still the same people that handle the cases.  It sounds like you should ask for escalation of your issue.

When logged into a Remote Access session as john1, the "john1 (User Network)" object is populated with the IP assigned.  This lets you make Firewall rules like 'john1 (User Network) -> Any -> Server : Allow' and 'john1 (User Network) -> Any -> Any : Drop'.  I don't understand why the second would be necessary just as I don't understand why you're having to use "Internet" in the definition.  When you get this escalated, be sure to have them look at these two issues.

Cheers - Bob