This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos L2TP VPN doesn't work with Windows 10 built-in client

I have the SG230 UTM where I enabled the L2TP (over IPSEC) VPN server, set a preshared key and a single VPN account. On the other side I have a Windows 10 Professionnal PC (v1809) with the built-in VPN client and when connecting the the Sophos, the connexion is established, but nothing is going through the tunnel. No ping in any of the direction.

I tested this same VPN connection with a LINUX PC and it worked flawlessly, so both my settings and credentials on the Sophos's end are correct. So apparently this is a problem (compatibility??) with the built-in client from Windows 10 Pro.

Any ideas? For some reason I have no other choices that using a L2TP type VPN with this specific computer, so I can't switch to SSL or other VPN types in my Sophos.

 

Thank you!



This thread was automatically locked due to age.
  • Do you use the Sophos VPN Pool (L2TP) for client connections? Do you receive an IP-Adress from this Pool after the VPN is connected? -> Check on Windows Client with ipconfig

    Please also check on Windows Client:

    Properties of the VPN Connection -> Network -> IPv4 Properties -> Advanced...  ->  Is the 1. Option "Standardgateway for Remoteconnection" checked?

     

    Other Idea: please check if there are any internal "windows" firewalls or endpoint firewalls on the Client/Server blocks ping and other ports. Your Source IP is maybe inside an other/unkown Network and this network is not allowed for access on the client... If this is the problem a S-NAT for VPN Pool (L2TP) may help you...

     

    regards

  • Unknown said:

    Do you use the Sophos VPN Pool (L2TP) for client connections? Do you receive an IP-Adress from this Pool after the VPN is connected? -> Check on Windows Client with ipconfig

    Yes, I receive an IP from the VPN Pool (L2TP) correctly during connection process.

    Unknown said:

    Please also check on Windows Client:

    Properties of the VPN Connection -> Network -> IPv4 Properties -> Advanced...  ->  Is the 1. Option "Standardgateway for Remoteconnection" checked?

    By default, the Option "Standard gateway for Remote connection" WAS checked, but I had to un-check it because otherwise the result is my PC can't access to the internet anymore when VPN is connected. This also demonstrate that the VPN tunel is not working correctly as with it as default gateway it blocks all network traffic.

    Unknown said:

    Other Idea: please check if there are any internal "windows" firewalls or endpoint firewalls on the Client/Server blocks ping and other ports. Your Source IP is maybe inside an other/unkown Network and this network is not allowed for access on the client... If this is the problem a S-NAT for VPN Pool (L2TP) may help you...

    This is the first thing that I tried, I completely disabled the Windows Firewall during the test phase. I don't have any other security software running on this PC, in fact it's a fresh Windows install with anything else on it! This is a test PC.

  • So "Standard gateway for Remote connection" will be the reason! Try to access with this checked option.

     

    You need a route entry (route add on client) for the remote network without this option...because every paket goes to your standard gateway.

     

    regards

  • Unknown said:

    So "Standard gateway for Remote connection" will be the reason! Try to access with this checked option.

     

    You need a route entry (route add on client) for the remote network without this option...because every paket goes to your standard gateway.

     

    regards

     

    As indicated before, if I enable the "Standard gateway for Remote connection" option, the result is my PC can't access to any internet services (web browsing, etc.). I thought this option was the equivalent of the "Send all traffic through the VPN" option that I found on my Apple computer in the built-in VPN client. Which is something I don't want (don't need). Local internet browsing can exit directly on local network and only traffic intended to my corporate's network need to go through the VPN as well.

  • Hi Simon and welcome to the UTM Community!

    Do you learn anything from doing #1 in Rulz?  Also, note #2.3.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    There is an option once you disable the full tunnel by disabling the standard gateway for remote connection, to add the routes on demand once the connection is fully established, Windows10 provides a powershell cmdlet that adds this route to be set once the VPN is UP and removed whe it is DOWN , here you have an example:

    Add-VpnConnectionRoute -ConnectionName "VPN_connectioname" -DestinationPrefix 172.16.0.0/16

     

    This will add a route to the network of your choice every time the VPN is established and be removed when disconneted.

    Hope this helps.