This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Remote Access - My head is now done in!

I'm wondering if somebody could try a remote connection with a free ipsec client to check my sanity.

I have this open in another thread but I fear it would get lost. Sophos support is about as much use as a chocolate teapot. They've taken nearly 12 weeks to come back with an answer that I just can't agree with as it's wrong. To me they are in denial.

All I require from somebody is to create (or try to create) a remote connection using a shrewsoft ipsec vpn client. It can be downloaded from here and is free:
https://www.shrew.net/download

There is a guide on the internet to make a connection to the UTM as well which is here:
http://www.virtualizationhowto.com/2015/01/connect-shrew-soft-vpn-client-sophos-ipsec-vpn/

It is simple and should take no more than a few minutes to do.

My problem:

1. I can only connect up if I put "Internet" or "Any IPv4" in the UTM local networks. Now, I think this can be down to the Shrewsoft client as I'm not specifying any networks in its config tab. Problem is if I do specify the network in the shrewsoft client and match it with that of the local network under the UTM, it won't connect.

2. Because I have to put "Internet" or "Any IPv4" in the UTM for it to connect, it gets full access to my network

Now I don't want that as I want to restrict these users to specific hosts. Here's the strange bit:

1. If I authenticate with certificates, You get the option to use "Automatic firewall rules". If you just choose PSK, there is no option to use "Automatic firewall" rules. Very strange as you would think you would want to apply firewall rules regardless of authentication?? PSK with Xauth is the same!

2. Now the above issue (which is strange) would not be a problem if you had to apply manual rules to allow access. But this isn't the case. Without any rule in sight, the remote user has FULL access by default. Now that is a serious flaw in my eyes. Put a block rule in to block this network as the top rule? Doesn't make a difference!
Putting a rule in is about as much use as calling Sophos support...... Don't expect it to work.

I've been more than patient with Sophos support on this one and when they come back with it must be an issue with my configuration (which they browsed over and couldn't see the issue), it really starts to pee you off. We've spent £50k with them and were due to spend more as well as recommend them to our regional partners.

That is now on hold due to their extremely poor support alone (let alone this issue)
We will plod away with this one in the meantime but I'd really appreciate it if somebody could give this a shot just to confirm they are seeing what I am.



This thread was automatically locked due to age.
  • Hi Louis,

    DM me the case#.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • "A chocolate teapot" - LOL - learning that just made my day, Louis - thanks!

    You've been fighting this for awhile.  My recollection of my experience with Shrewsoft about five years ago was that the Sophos client worked immediately but I had a lot of trouble finding the tricks to get the Shrewsoft client to work.  I suspect that just putting a few minutes into it would have confirming your experience.  This is the kind of problem I would expect Support either to solve quickly or to comment that the Sophos client works and that configuring the Shrewsoft client would be a billable activity.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It's a little frustrating to say the least. I get hooked up with Shrewsoft straight away but the problem is the lack of security ie the access it gives.

    Strange thing is, the Cisco Client is the same and there's even less config on that. The thing is, that's not the major concern.

    The concern is the ability to just bypass the firewall rules. Don't ask me how, but it just does. I've gone through all the automatic firewall rules (10 of them) and manual firewall rules (26 of them) and there is nothing in there showing this is allowed.

    I've even added a manual block rule at No1 rule but still not effect. I've tried the source as the Ipsec vpn pool as well as the xauth user etc but still no effect and they get through.

    I repeat the process with SSL and openvpn and it works exactly how it should with no issue so it's pointing me to the ipsec being the issue. Maybe there is something stuck in the background etc but Sophos support has been on numerous times and not mentioned anything, It's obviously a low level support person because if it was me and I couldn't see anything causing this, alarm bells would be ringing.

  • Well, I finally got to a higher level of support and somebody who actually knew what he was doing. Thank you David.

    The result? Well we connected finally but we did find some glaring oversights by Sophos too.

    Firstly the solution to get the Shrewsoft connected was to use "require" in their policy rather than auto and manually insert the UTM remote network/s. The only thing I didn't try here was "require" rather than "Auto" but thank you David for getting to that.

    Now the oversights by Sophos with this setup. This is using Remote Access > Ipsec

    1. If you choose to just use ipsec with a PSK, the UTM inserts a hidden rule in the background (looks like the top rule ie No1) which allows all traffic through. This is very bad because it allows remote clients full access to whatever network you have specified in the ipsec local networks. You cannot block or filter traffic using the firewall as it has no effect as any rule you insert falls way below the higher hidden background rule.

    2. When clients connect like this, there is no indication in the GUI that there is a client connected. Again, very bad. The only way to see if something has conected is via the ipsec raw log files. Not good either.

    So we now have a product that allows a client to connect, can't firewall it and shows no indication that it is connected. Serious stuff!!

    It has dented my confidence in the product a little and the proof of the pudding will be in how quickly they apply a fix to this (if at all)