Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 18665 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I can't access the internal network from L2TP over IPsec VPN

Jason Ross

Hello all,

I have been banging my head against this one all day.

 

I have L2TP over IPsec setup using the default VPN pool.

I have a Firewall rule set:   (Source) VPN pool --------(Service) Any ---------(Destinations) Internal (Network)

The rule is enabled yet None of my clients can see anything on the internal network.

 

I have tried setting up NAT Masq. rules with no effect.

 

What am I missing here?

 

SG230,

Firmware version: 9.414-2



This thread was automatically locked due to age.
  • 0

    ok - in your firewall rule make sure you have both the internal network and the vpn pool (l2tp) as both the source AND destination - see if that helps.

  • 0 in reply to Shaun Raven

    HA!  Eureka! That did it. Thank you so much.

     

    Why is that the case? Why does it need to be this way to function? 

  • 0 in reply to Jason Ross

    It's because the firewall locks down all access EXCEPT what you allow.  Your first rule only allowed traffic one way - the modifcation suggested allows traffic both ways.

     

    Glad it's working!

  • 0 in reply to Shaun Raven

    I spoke too soon. This fix is not working anymore and it didn't work on my other UTM's.

     

    Thank you for trying to help.

     

    I even tried making two separate rules instead of adding both to the source and destination. No joy.

  • 0 in reply to Jason Ross

    Just a thought - make sure you're using the right interfaces in the rules.  They should be "Internal (Network)" and "VPN Pool (L2TP)".

    Also make sure they map to the IP ranges that you expect.

    Remember that for any traffic to flow from your internal network to your VPN clients, your internal network machines must be using the UTM as their gateway. 

    How are you determing traffic -PING? 

  • 0 in reply to Jason Ross

    Jason, if you're still having this issue, show a picture of the 'Main Settings' for 'L2TP over IPsec' and a picture of your firewall rule open in Edit.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for reaching out. Yes I am still hitting a wall.  Here are the images you requested.  I'm hoping it's something stupid that I'm missing.

  • 0 in reply to Jason Ross

    The thing that jumps out at me is that the wrong pool is being used in the rules - it should be VPN Pool (L2TP).  I would also put the Pool network and the internal network on BOTH sides of the firewall rule so traffic flows both ways.

  • 0 in reply to Shaun Raven

    Shaun, since the UTM is a stateful firewall, Jason doesn't need to allow response traffic from "Internal (Network)."

    Jason, you didn't answer Shaun's question about ping.  Pinging is regulated on the 'ICMP' tab of 'Firewall'.  If you haven't selected to allow the firewall to forward pings on that tab, your "Any" allow rule won't forward pings - "Any" only includes TCP and UDP, not any other IP Protocols.

    If that doesn't get you there, what does #1 in Rulz tell you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML