This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webadmin+VPN problem in China

Hello

 

I've setup a Sophos SG135 for our office in Shanghai 2 years ago. I'm based in France and I've mounted an IPSEC VPN between our SG310 in Paris to the one Shanghai back then.

It's been working just fine for 2 years but approx 3-4 weeks ago, the VPN went down and I can't access the WebAdmin interface through it's public IP (it's working locally though).

 

This is typical Chinese Great Firewall behaviour...

 

Weird thing is I can ping the public IP (ICMP is allowed on the SG135 obviously) and I can access UserPortal on port https/443 from Paris.

 

Does anyone else experience bad connectivity with a Chinese office? Did you find your way around?

Does China Telecom helped in any way ? - may you have contacted them

Any tips/tricks to get a stable connection?

 

I've seen better connection using SSL VPN on UDP before but I didn't tried it yet, any feedback?

 

If you have any experience on that subject, please feel free to share :)

Thanks

Marc



This thread was automatically locked due to age.
  • Salut Marc and a belated welcome to the UTTM Community!

    In fact, there's another active thread right now about a similar problem.  I bet you're right and that they're blocking UDP 4500.  Can you still get an SSL VPN on UDP going or do you have to use TCP 443 to get through?  Have you tried a RED tunnel?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

     

    Thanks!

    Can you please send the link to the other active thread?

    IPSEC is not working, SSL VPN on TCP is not working as well...

    SSL VPN on UDP works fine but I already setup loads of users with remote access on TCP/SSL and don't want to change the SSL setting from TCP to UDP as it will break those users connection!

    Is there any way to use remote access on TCP/SSL and site-to-site VPN on UDP/SSL?

    Thanks

    M

  • The best way to find things here is to use Google, Marc.  Restrict the search to the last month and Google:

    site:community.sophos.com/products/unified-threat-management/f China ISP

    There's only a single setting for the Server side of the SSL VPN.  If all clients only connect via SSL VPN to site A, leave it set to TCP.  At site B, change 'Server Settings' to UDP, create a Server SSL Connection and generate the site-to-site Client Connection for A.

    Note that the only change for the Remote Access client is changing tcp to udp in line 4 of the ovpn configuration file, for example:

    C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\username@sub.domain.com\username@sub.domain.com.ovpn

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In the german Magazine named CT there recently was an comprehensive Article about the Chinese Firewall. They get in deep detail about the functionality of Chinese Firewall. One technology which is used by Chinese Firewall is a Blacklist. If your IP once is on this blacklist because they figured out you are doing VPN Service over this IP, then all traffic to this IP is blacklisted.

     

    If this happened to you, I guess the only way is to change your Public IP in China :-/

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • Hello everyone, we faced the same problem with the new XG Firewall. I tried many things, Port-change, Port-Redirection and so on. I changed the Protocol from TCP to UDP on the Firewall and it works like a charm. You can use any Port by using UDP Protocol, if you change the Protocol you just need to change "proto tcp" to "proto udp" in the config (4th line from above).