Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 5706 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using IPsec vpn connection as default gateway

Indalo

Hi,

I want to use a remote access ipsec vpn connection as the default gateway for the remote client.
I have added 'any' to the list of local networks on the utm9's remote access ipsec profile. I have added a masqurading rule for the
ipsec vpn address pool to the uplink interfaces. FWIW I have also added the ipsec vpn pool to the
web filtering allowed networks list.
When I log in to the portal and download the client config and cert I can see the all zeros network in the config file: -

Network1=0.0.0.0
SubMask1=0.0.0.0
Network2=192.168.96.0
SubMask2=255.255.255.0
Network3=192.168.84.0
SubMask3=255.255.252.0
Network4=192.168.32.0
SubMask4=255.255.252.0
Network5=192.168.72.0
SubMask5=255.255.252.0

I do get some errors in the import log, but none of them appear to relate to the routing: -

=================================================================================
Sophos IPsec Client - Import
=================================================================================

Profile Import
Reading import file - 28/07/2016 15:02:46
C:\Users\MoviAdmin\Downloads\aic_conf__stephenr__fw_company_com.ini

IKE POLICY "REF_OrkXmBRdER" is being imported
PARAMETER "IkeAuth" = RSA-Signature
PARAMETER "IkeCrypt" = AES 256 Bit
PARAMETER "IkeHash" = SHA 256 Bit
PARAMETER "IkeDhGroup" = DH-Group 5 (1536 Bit)
IKE POLICY "REF_OrkXmBRdER" successfully extended
---------------------------------------------------------------------------------

IPsec POLICY "REF_OrkXmBRdER" is being imported
PARAMETER "IPSecCrypt" = AES 256 Bit
PARAMETER "IPSecAuth" = SHA 256 Bit
IPsec POLICY "REF_OrkXmBRdER" successfully extended
---------------------------------------------------------------------------------

PROFILE "REF_IpsRoaSmipsec" is being imported
PROFILE "REF_IpsRoaSmipsec", existing profile overwritten
PARAMETER "Name" = REF_IpsRoaSmipsec
ERROR: Parameter "ConnType" => unknown parameter
ERROR: Parameter "ConnMedia" => unknown parameter
ERROR: Parameter "UseRAS" => unknown parameter
PARAMETER "BootProfile" = off
PARAMETER "ConnMode" = manual
PARAMETER "Timeout" = 0
ERROR: Parameter "MultiLink" => unknown parameter
ERROR: Parameter "MlThreshold" => unknown parameter
PARAMETER "Gateway" = fw.company.com
PARAMETER "IKE-Policy" = REF_OrkXmBRdER
PARAMETER "IPSec-Policy" = REF_OrkXmBRdER
PARAMETER "IkeLTSec" = 000:08:00:00
PARAMETER "IPSecLTSec" = 000:01:00:00
PARAMETER "ExchMode" = main mode
PARAMETER "PFS" = none
ERROR: Parameter "UseComp" => unknown parameter
PARAMETER "DisDPD" = off
PARAMETER "IkeIdType" = Fully Qualified Username
PARAMETER "IkeIdStr" = stephen.ryan@company.com
PARAMETER "UsePreShKey" = off
PARAMETER "UseXAUTH" = none
PARAMETER "IpAddrAssign" = Use IKE Config Mode
PARAMETER "DNS1" = 192.168.32.30
PARAMETER "DNS2" = 192.168.32.18
PARAMETER "WINS1" = 0.0.0.0
PARAMETER "WINS2" = 0.0.0.0
PARAMETER "DomainName" = company.com
PARAMETER "UseTunnel" = off
ERROR: Parameter "Firewall" => unknown parameter
ERROR: Parameter "OnlyTunnel" => unknown parameter
ERROR: Parameter "EnableNetBIOS" => unknown parameter
ERROR: Parameter "RasOnlyTunnel" => unknown parameter
PARAMETER "Network1" = 0.0.0.0
PARAMETER "SubMask1" = 0.0.0.0
PARAMETER "Network2" = 192.168.96.0
PARAMETER "SubMask2" = 255.255.255.0
PARAMETER "Network3" = 192.168.84.0
PARAMETER "SubMask3" = 255.255.252.0
PARAMETER "Network4" = 192.168.32.0
PARAMETER "SubMask4" = 255.255.252.0
PARAMETER "Network5" = 192.168.72.0
PARAMETER "SubMask5" = 255.255.252.0
PROFILE "REF_IpsRoaSmipsec" imported (10 Errors)
---------------------------------------------------------------------------------

Summary:
========
IKE POLICY "REF_OrkXmBRdER" successfully extended
IPsec POLICY "REF_OrkXmBRdER" successfully extended
PROFILE "REF_IpsRoaSmipsec" imported (10 Errors)

Errors: 10


However, if I make the ipsec vpn connection, the local ISP remains the default route: -

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
10.242.34.0 255.255.255.0 On-link 10.242.34.2 257
10.242.34.2 255.255.255.255 On-link 10.242.34.2 257
10.242.34.255 255.255.255.255 On-link 10.242.34.2 257
64.125.75.227 255.255.255.255 192.168.1.1 192.168.1.10 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.10 276
192.168.1.10 255.255.255.255 On-link 192.168.1.10 276
192.168.1.255 255.255.255.255 On-link 192.168.1.10 276
192.168.32.0 255.255.252.0 10.242.34.3 10.242.34.2 257
192.168.72.0 255.255.252.0 10.242.34.3 10.242.34.2 257
192.168.84.0 255.255.252.0 10.242.34.3 10.242.34.2 257
192.168.96.0 255.255.255.0 10.242.34.3 10.242.34.2 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.10 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.10 276
255.255.255.255 255.255.255.255 On-link 10.242.34.2 257

I would have expected to see 10.242.34.3 as the gateway for 0.0.0.0/0.0.0.0
I can see all my other internal routes - the 192.168.etc.etc routes, and they work.

If I try to manually edit the profile (using Configuration/Profiles/profilename/Edit/Split Tunnelling ) on the client it won't
allow me to add the all zeroes route (in fact this is presented as the first option when you click 'add', but the 'ok' is greyed out)

Any ideas here? I hope I'm not missing something too obvious.
Many thanks
Stephen



This thread was automatically locked due to age.
Unfiltered HTML