Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 5575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Incorrect subnet mask with Cisco VPN client

Louis-M

I was connecting a laptop with a Cisco VPN client to our UTM using ipsec/certs

Although the client authenticated, no traffic was passing even though the rules appeared ok. The UTM was using a default ipsec pool of 10.242.4.0/24

When I did an ipconfig /all on the windows laptop with Cisco client, it showed an ip address from the UTM issued ipsec vpn pool ie 10.242.4.1

The only problem was, it had a mask of /8 255.0.0.0 instead of /24 255.255.255.0 and no traffic flowed.

Changing this on the UTM to a class C 192.168.100.0/24 ipsec vpn pool and boom..... everything worked as it should.

Further testing to be done eg change back to 10.10.10.0/24 to see if it issues a /24 instead of a /8 to see if this is a bug?



This thread was automatically locked due to age.
Parents
  • 0

    That's the VPN Pool for IPsec, Louis.  You need to configure the 'Cisco VPN Client' in 'Remote Access', not 'IPsec'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    we don't have the Cisco client part enabled on the UTM. We just use the ipsec part.

    The Cisco client picked up an ip address from the ipsec pool. You would think that it would have picked up the subnet too but for some reason it didn't.
    Once I changed it to a class C address, the Cisco client picked it up as you would expect ie with a /24 mask instead of an /8 mask.

    When I get a spare 5 mins I'll test this as I have 2x clustered UTM's with separate egress/ingress points.

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    we don't have the Cisco client part enabled on the UTM. We just use the ipsec part.

    The Cisco client picked up an ip address from the ipsec pool. You would think that it would have picked up the subnet too but for some reason it didn't.
    Once I changed it to a class C address, the Cisco client picked it up as you would expect ie with a /24 mask instead of an /8 mask.

    When I get a spare 5 mins I'll test this as I have 2x clustered UTM's with separate egress/ingress points.

Children
No Data
Unfiltered HTML