Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 10865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access - IPsec (Cisco Client & Shrewsoft Client

Louis-M

I've been playing about with these for a few days and I'm getting stumped a little.

The only way I can connect both clients is by placing an "Any IPv4" or "Any" in the local networks tab.
That then gives the remote client access to all (as you would expect)

However, the issue is......... I've not put any firewall rules in to allow it!! 

Using a Preshared Key
If I use a preshared key, I don't get any option to allow automatic firewall rules. Nothing. So I can only assume it puts them in although I can't see them under any rule (manual or automatic). So not quite sure whats going on there. If I place a manual firewall rule at the top with the source of the remote ipsec vpn pool, any service, anywhere, block, it doesn't have any effect?? That's serious stuff!

If I use a certificate
If I use a certificate, I get the option to use automatic firewall rules. If I choose not to (ie leave it unticked), access is granted to everything as above. So that's not right either.

If I use a more restrictive network (rather than any)
Both clients won't connect as there is no policy for 0.0.0.0/0. I can also use "internet" instead of "Any" but get the same results ie access to everything

I'm stuck and can't use IPsec (which I need to use) and can't understand why a remote client can bypass the top firewall rule which is set to block anything coming from it?



This thread was automatically locked due to age.
  • 0 in reply to Louis-M

    Louis, the only real difference between Premium and Standard support is that you can open your own support ticket instead of going through your reseller - it's still the same people that handle the cases.  It sounds like you should ask for escalation of your issue.

    When logged into a Remote Access session as john1, the "john1 (User Network)" object is populated with the IP assigned.  This lets you make Firewall rules like 'john1 (User Network) -> Any -> Server : Allow' and 'john1 (User Network) -> Any -> Any : Drop'.  I don't understand why the second would be necessary just as I don't understand why you're having to use "Internet" in the definition.  When you get this escalated, be sure to have them look at these two issues.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML