Question about country blocking for IPsec Xauth PSK on XG Firewall and Local/Remote ID

Hello,

I got two questions that I could not resolve despite extensive reading the XG documentation.

On my XG, Sophos Client Connect is enabled, all connections are well established from windows remote hosts and Android mobile phones native vpn client using IPsec Xauth PSK.

1) To narrow down the attack surface, I would like to apply an additional geoip block filter to the VPN. I have different webservers behind the firewall where geoip blocking works great with XG. For VPN however, it seems that the rules are not handled by the firewall rules. How I can I configure this?

2) In addition to the PSK in IPsec, I would like to add an additional security layer by defining a Remote ID. As I've read in the documention, this could be DNS, IP or even an arbitrary string. So on the XG Client Connect configuration I choosed as Remote ID an email example (xyz@xyz.xyz) the same was used on the vpn client as IPsec ID. Unfortunately when adding these strings on both sides the connection can't be established. I am not sure how IP or DNS could work because the clients have dynamic IPs.

Thanks for shedding some light on these points.

Marc

  • Hello Marc,

    Thank you for contacting the Sophos Community!

    As per your first question I didn't understand what you are trying to achieve here, please clarify

    As per your second question, every time you configured a setting for Local ID and Remote ID you need to export the configuration and export it in the Sophos Connect Client. After this, it would connect. It doesn't really matter what setting you use for IP, DNS or email, as when you download the configuration this configuration file will have this setting fill up, and when the user connects the XG will check for this value that will be sent automatically by the Sophos Connect Client. 

    Regards,

     

  • In reply to emmosophos:

    Hello,

     

    thank you for your Answer.

    Let me simplify the first question: How can I restrict the access to the Sophos Client Connect VPN service on XG only for a predefined list of IPs or countries? Country Blocking rules in the Firewall (as described here https://community.sophos.com/kb/en-us/123007) do not work in case of IPsec.

    As per the second question: The Sophos Client Connect Service is nothing else than IPsec XAuth with PSK. That's why I can use the native android VPN Client to connect to XG using that method. When I let RemoteID and LocalID empty in the configuration of the Sophos Client Connect Service on XG, I can connect without problems with an Android VPN Client. However when I add a Remote ID in XG (as an addition security layer) and put the same Remote ID on the native Android VPN Client (in the IPsec-ID Field) the connection cannot be established.

    Thanks in advance,

    Marc

  • In reply to M Bel:

    Hi  

    To connect VPN from remote end require multiple parameters to match, the users added in the Sophos Connect VPN could only be able to access the VPN and not anyone out there. It is already a secure technology to connect from a remote location, It requires client, authentication details to connect.

    The IPsec works on Port 500 and 4500, you can create a black hole firewall rule for these ports as a service and add the IP address as per your requirement.

    Please refer to the article - https://community.sophos.com/kb/en-us/134380

  • In reply to Keyur:

    Thank you for the Blackhole Hint. It seems that the KB article is written for v17 of XG. I still did not get it working with the decoupled NAT design of v18. Do I only need a firewall rule or also a NAT rule to accomplish this.