This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN

Hello,

I have a challenge with our NATted Site-Site IPSec VPN setup. Problem is users cannot access the internet when the VPN connection is on, but can access resources on the remote site. Our firewall is a CR25iNG. The network admin managing the remote site says our LAN IPs are supposed to be NATted (or PATted) on our firewall towards the IPSec tunnel so that users can connect to the remote site through the tunnel without any further configuration on their PCs, that i have to configure the firewall so that when an IP from our LAN tries to reach the remote subnets the IP is translated to the static IP they gave me, with the firewall policy through the IPSec tunnel. Now i have already done this but doesnt seem to change anything, Have i missed something?

Thanks,

Jasper

This thread was automatically locked due to age.

Parents

0 FloSupport over 4 years ago

Hi Jasper Okoth

Depending on what OS your CR25iNG is running, I would advise moving your thread over to the XG or Cyberoam community group.

In regards to your question, would it be possible to share how your IPsec tunnel is configured and the firewall rule is setup for LAN to VPN access?

Thanks,

Florentino
Director, Global Community & Digital Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.

The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Jasper Okoth over 4 years ago in reply to FloSupport

Dear FloSupport,

Thank you for your reply, think i figured out what the problem is:

1. On the IPsec Config page, when i set the remote LAN to Any the VPN connection seems to work but my users cant access the internet, which means all traffic is being sent to the tunnel and internet traffic has been restricted.

2. On the same page, when i set the subnets we want to access, the VPN doesn't work, which leaves me to think that the problem may be on the remote site, so i will speak to the Net admin on the other side to provide way forward.

Thanks again FloSupport,

Jasper.
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 4 years ago in reply to Jasper Okoth

Hi Jasper

Thank you for following up and providing your investigation results.

When you mention that after configuring the IPsec tunnel to the remote LAN subnets you want to access, the VPN doesn't work. Does the tunnel establish still? Or are clients not able to successfully connect to these remote resources?

Make sure that your IPsec policies/configuration are matching on both sides. Also, take a look at the IPsec logs (charon.log) as they may provide more hints to help you.

Regards,

Florentino
Director, Global Community & Digital Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.

The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Jasper Okoth over 4 years ago in reply to FloSupport

Dear FloSupport,

Thank you again for your reply, the answer to your question is no, the tunnel does not establish when i set the remote subnets (172.x.x.0) and users cannot access resources on the remote site, but can access the internet. When i set the remote LAN network to ANY, connection to the VPN is established and users can access resources on the remote site but now they cannot access anything on the internet and this is my second problem.

Regards,

Jasper.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jasper Okoth over 4 years ago in reply to FloSupport

Hi FloSupport,

I would like to know which IKE version the CR25iNG - 10.6.6 MR3 supports by default is it v1 or v2?

Thanks,

Jasper
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 4 years ago in reply to Jasper Okoth

Hi Jasper Okoth

It sounds like there might be an IPsec configuration mis-match between you and your remote site peer device, specifically the Local and Remote LAN networks used.

When you set the remote LAN network to ANY, it is expected behavior for all of your Local LAN traffic to be forced across the VPN tunnel (as there is an IPsec route matching to ANY outgoing traffic).

Regarding the IKE version on the Cyberoam OS, it currently only supports IKEv1. (Related feature request)

Florentino
Director, Global Community & Digital Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.

The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FloSupport over 4 years ago in reply to Jasper Okoth

Hi Jasper Okoth

It sounds like there might be an IPsec configuration mis-match between you and your remote site peer device, specifically the Local and Remote LAN networks used.

When you set the remote LAN network to ANY, it is expected behavior for all of your Local LAN traffic to be forced across the VPN tunnel (as there is an IPsec route matching to ANY outgoing traffic).

Regarding the IKE version on the Cyberoam OS, it currently only supports IKEv1. (Related feature request)

Florentino
Director, Global Community & Digital Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.

The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jasper Okoth over 4 years ago in reply to FloSupport

Hi FloSupport,

Thank you very much for your help, im in the process of sorting out the issue with the remote site, hopefully have it resolved in good time. I would like to ask one more question, im having a challenge monitoring bandwidth usage on our network. I recently discovered that the web and application filters are not working properly as some users are able to access some blocked sites and others are also able to stream video and radio (these are also blocked). I have also blocked windows updates from downloading during business hours but find some client PC's downloading these updates, what should i do to rectify this? I would also like to see the hosts that are hogging all the bandwidth in real time and what services are being accessed, is this possible? Sorry im fairly new to cyberoam.

Much appreciated,

Jasper.
Cancel
Vote Up 0 Vote Down

Cancel
0 Aditya Patel over 4 years ago in reply to Jasper Okoth

Hello Jasper,

Could you please check if the traffic is passed from which rule and check if the application and web filter are in place? As for the IPsec VPN issue, it would be best to add the interface address/network of the WAN in your IPsec Tunnel connection's list that would allow the traffic to allow through WAN.

Regards,

Aditya Patel
Global Escalation Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel