Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have a challenge with our NATted Site-Site IPSec VPN setup. Problem is users cannot access the internet when the VPN connection is on, but can access resources on the remote site. Our firewall is a CR25iNG. The network admin managing the remote site says our LAN IPs are supposed to be NATted (or PATted) on our firewall towards the IPSec tunnel so that users can connect to the remote site through the tunnel without any further configuration on their PCs, that i have to configure the firewall so that when an IP from our LAN tries to reach the remote subnets the IP is translated to the static IP they gave me, with the firewall policy through the IPSec tunnel. Now i have already done this but doesnt seem to change anything, Have i missed something?
Hi Jasper Okoth
Depending on what OS your CR25iNG is running, I would advise moving your thread over to the XG or Cyberoam community group.
In regards to your question, would it be possible to share how your IPsec tunnel is configured and the firewall rule is setup for LAN to VPN access?
In reply to FloSupport:
Thank you for your reply, think i figured out what the problem is:
1. On the IPsec Config page, when i set the remote LAN to Any the VPN connection seems to work but my users cant access the internet, which means all traffic is being sent to the tunnel and internet traffic has been restricted.
2. On the same page, when i set the subnets we want to access, the VPN doesn't work, which leaves me to think that the problem may be on the remote site, so i will speak to the Net admin on the other side to provide way forward.
Thanks again FloSupport,
In reply to Jasper Okoth:
Thank you for following up and providing your investigation results.
When you mention that after configuring the IPsec tunnel to the remote LAN subnets you want to access, the VPN doesn't work. Does the tunnel establish still? Or are clients not able to successfully connect to these remote resources?
Make sure that your IPsec policies/configuration are matching on both sides. Also, take a look at the IPsec logs (charon.log) as they may provide more hints to help you.
Thank you again for your reply, the answer to your question is no, the tunnel does not establish when i set the remote subnets (172.x.x.0) and users cannot access resources on the remote site, but can access the internet. When i set the remote LAN network to ANY, connection to the VPN is established and users can access resources on the remote site but now they cannot access anything on the internet and this is my second problem.
I would like to know which IKE version the CR25iNG - 10.6.6 MR3 supports by default is it v1 or v2?
Hi Jasper Okoth
It sounds like there might be an IPsec configuration mis-match between you and your remote site peer device, specifically the Local and Remote LAN networks used.
When you set the remote LAN network to ANY, it is expected behavior for all of your Local LAN traffic to be forced across the VPN tunnel (as there is an IPsec route matching to ANY outgoing traffic).
Regarding the IKE version on the Cyberoam OS, it currently only supports IKEv1. (Related feature request)
Thank you very much for your help, im in the process of sorting out the issue with the remote site, hopefully have it resolved in good time. I would like to ask one more question, im having a challenge monitoring bandwidth usage on our network. I recently discovered that the web and application filters are not working properly as some users are able to access some blocked sites and others are also able to stream video and radio (these are also blocked). I have also blocked windows updates from downloading during business hours but find some client PC's downloading these updates, what should i do to rectify this? I would also like to see the hosts that are hogging all the bandwidth in real time and what services are being accessed, is this possible? Sorry im fairly new to cyberoam.
Could you please check if the traffic is passed from which rule and check if the application and web filter are in place? As for the IPsec VPN issue, it would be best to add the interface address/network of the WAN in your IPsec Tunnel connection's list that would allow the traffic to allow through WAN.