Sophos L2TP VPN doesn't work with Windows 10 built-in client

I have the SG230 UTM where I enabled the L2TP (over IPSEC) VPN server, set a preshared key and a single VPN account. On the other side I have a Windows 10 Professionnal PC (v1809) with the built-in VPN client and when connecting the the Sophos, the connexion is established, but nothing is going through the tunnel. No ping in any of the direction.

I tested this same VPN connection with a LINUX PC and it worked flawlessly, so both my settings and credentials on the Sophos's end are correct. So apparently this is a problem (compatibility??) with the built-in client from Windows 10 Pro.

Any ideas? For some reason I have no other choices that using a L2TP type VPN with this specific computer, so I can't switch to SSL or other VPN types in my Sophos.

 

Thank you!

  • Do you use the Sophos VPN Pool (L2TP) for client connections? Do you receive an IP-Adress from this Pool after the VPN is connected? -> Check on Windows Client with ipconfig

    Please also check on Windows Client:

    Properties of the VPN Connection -> Network -> IPv4 Properties -> Advanced...  ->  Is the 1. Option "Standardgateway for Remoteconnection" checked?

     

    Other Idea: please check if there are any internal "windows" firewalls or endpoint firewalls on the Client/Server blocks ping and other ports. Your Source IP is maybe inside an other/unkown Network and this network is not allowed for access on the client... If this is the problem a S-NAT for VPN Pool (L2TP) may help you...

     

    regards

  • In reply to Steve Weißflog:

    Steve Weißflog

    Do you use the Sophos VPN Pool (L2TP) for client connections? Do you receive an IP-Adress from this Pool after the VPN is connected? -> Check on Windows Client with ipconfig

    Yes, I receive an IP from the VPN Pool (L2TP) correctly during connection process.

    Steve Weißflog

    Please also check on Windows Client:

    Properties of the VPN Connection -> Network -> IPv4 Properties -> Advanced...  ->  Is the 1. Option "Standardgateway for Remoteconnection" checked?

    By default, the Option "Standard gateway for Remote connection" WAS checked, but I had to un-check it because otherwise the result is my PC can't access to the internet anymore when VPN is connected. This also demonstrate that the VPN tunel is not working correctly as with it as default gateway it blocks all network traffic.

    Steve Weißflog

    Other Idea: please check if there are any internal "windows" firewalls or endpoint firewalls on the Client/Server blocks ping and other ports. Your Source IP is maybe inside an other/unkown Network and this network is not allowed for access on the client... If this is the problem a S-NAT for VPN Pool (L2TP) may help you...

    This is the first thing that I tried, I completely disabled the Windows Firewall during the test phase. I don't have any other security software running on this PC, in fact it's a fresh Windows install with anything else on it! This is a test PC.

  • In reply to SimonC:

    So "Standard gateway for Remote connection" will be the reason! Try to access with this checked option.

     

    You need a route entry (route add on client) for the remote network without this option...because every paket goes to your standard gateway.

     

    regards

  • In reply to Steve Weißflog:

    Steve Weißflog

    So "Standard gateway for Remote connection" will be the reason! Try to access with this checked option.

     

    You need a route entry (route add on client) for the remote network without this option...because every paket goes to your standard gateway.

     

    regards

     

    As indicated before, if I enable the "Standard gateway for Remote connection" option, the result is my PC can't access to any internet services (web browsing, etc.). I thought this option was the equivalent of the "Send all traffic through the VPN" option that I found on my Apple computer in the built-in VPN client. Which is something I don't want (don't need). Local internet browsing can exit directly on local network and only traffic intended to my corporate's network need to go through the VPN as well.

  • In reply to SimonC:

    Hi Simon and welcome to the UTM Community!

    Do you learn anything from doing #1 in Rulz?  Also, note #2.3.

    Cheers - Bob