XG125 || Connection Errors with MS Products while SSL-VPN Client || Connection to VPN L2TP Cert failed in Win 10 || low IPSec credentials for L2TP PSK

Hi everybody,

this is a "copy" (https://community.sophos.com/products/unified-threat-management/f/german-forum/114929/xg125-ssl-vpn-client-und-ms-produkte-vpn-l2tp-cert-credentials-for-l2tp-pskof my question in the UTM Group because its a XG question.

 

Since the begining of august we try to calibrate a new XG 125 in our companynetwort and we want to use the VPN options because of different reasons.

- Customer support and remoteaccess (over one IP)

- connecting infrastructure over S2S

- protectionrules and policies for homeoffice worker and sales

But here starts our problems and my first try to chat with sophos ends with a ticket in the westcoase of USA - timedifference 9 h, so no option to call during officetime. Now they're trying to change the servicesupportzone from usa to UK but this could take month (answer from sophos) until a supportworker from sophos UK will answer me. because i dont have so much time, i will try it here. 

We are a software developing company and the most of our workers are working in home office with own infrastructure like fritz box, ISP. A part of our work is software maintenance.

1. one securitypolicy to connect or get remoteaccess to the customersystem is to connect to the VPN. Now we use differnt vpn client because different problems. With the XG we start with the Sophos SSL Client (openVPN Base). But during the vpn connection we have connection problems with the officetools like Outlook and Onenote. If we cut the vpn the connection is fine.

- during vpn the Outlook loses the connection to the office365 exchange and cant reconnect (Errormsg: server not available or no internet) and in OneNote the notesync failed because the accessauth failed (errormsg: server not available or no internet).

- sometimes a reconnect to the VPN fixed the issue for 4 h but not continuously

> Firewallpolicy:

VPN (any host) to WAN (any host); any service; accept.

> No filters, no http scan, no https scan, just NAT

> and yes internet is connected

 

 

2. because of the problems in >1< we tried the buildin l2tp ipsec connection with certkey like here : https://community.sophos.com/kb/en-us/132253

- but we cant get any connection with certkey.

 

3. because of the problems in >1 and 2< we tried the buildin l2tp ipsec connection with psk

- but the connection with acceptable credentials like aes 256 failed. the only working l2tp connection needs md5 or less credentials.

- did anybody have some informations or help ?

 

thanks a lot,

Michael

  • Hi  

    I would request you to PM the service request number.

    Can you please share the L2VP connection logs while you connect he L2TP VPN from the user machine?

  • In reply to Keyur:

    Hi Keyur,

    i send you the SR# by PM.

    i try not to use the l2tp/l2vp connection and i'm not sure what you can see in the logs during the l2(t|v)p connection, when the connection is the problem.

    to reduce the problems i use openVPN from https://openvpn.net instead of the sophos ssl clients. The problems with MS Products are the same, but the connectionlifetime is longer.

  • Hi

    Have you thought about trying Sophos Connect Client? It might be a good option to try while our Support team looks into this. This can be done without changing any modification to the existing setup, VPN to WAN firewall rule you've configured would be good enough.

  • In reply to Jaydeep:

    Hi Jaydeep,

    thx for this answer. Until now in wasn't trying the Sophos Connect Client but sure i could. Maybe there is some time later this day. I will give you an answer.

     

  • In reply to Michael Nährig:

    Hi Jeydeep,

    same problems. I configured and installed it, but a get the same issues with MS products.

     

  • In reply to Michael Nährig:

    I am guessing this is either one of the following

    1. A DNS issue (less likely if all else works other than office365)

    2. MTU/MSS problem (likely that the sessions are using your normal network until it times out or closes then uses VPN's routes hours later)

    3. Web filter on the XG is not configured correctly (if you are doing ssl scanning etc.. you should have o365 exceptions in place). If this was the case, your local users would have problems too. 

    My guess is MTU/MSS, you can try to lower it in the configuration file of the ssl vpn by adding the following line below and reconnecting and seeing if the behavior is present. 

    mssfix 1200

  • In reply to MasterRoshi:

    Hi MasterRoshi,

    i will give this a try.

    #1: this was my first guess, but there are no problems for wifi and Lan devices withour VPN

    #2: i will give this a try in my config file

    #3: at this point we don't use any filter. we want to use some, but at first we want a stable and errorless connection so i cut all options in the filterconfiguration first.

     

    -> i'll start with adding mssfix 1200 in my vpn Config and test will give this a try

  • In reply to Michael Nährig:

    Hi MasterRoshi,

    Unfortunately not. same connectionissues in oneNote. 

  • In reply to Michael Nährig:

    Can you share please the SSL VPN Configuration? 

    Do you use SSL VPN as the Default Gateway or split tunneling? 

  • In reply to Michael Nährig:

    Are you perhaps using UDP instead of TCP for your VPN?

  • In reply to LuCar Toni:

    Hello LuCar,

    we need to get remoteaccess to some customer remotesystem (RDP, Teamviewer, other software) and the customer firewalls are configured, that just our centralIP could connect, so we need to use the VPN as the default gateway. If there are any option (i dont know) to route 1. Customeremote by VPN Gateway, normal internet and officeusing by split tunneling, i would love this option, but i guess this is an unavailable feature.

    VPN Config

    ip-win32 dynamic
    client
    dev tun
    proto udp
    explicit-exit-notify
    verify-x509-name xxx
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    <ca>
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    </ca>
    <cert>
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    </key>
    auth-user-pass
    cipher AES-128-CBC
    auth SHA256
    comp-lzo yes
    route-delay 4
    verb 3
    reneg-sec 0
    remote <PublicIP> 8443
    remote 10.255.0.1 8443
    remote 192.168.187.1 8443

     

     

    @MasterRoshi: yes we are using UDP because it is the recommandation in the FAQ from sophos because of the speed. could this be the reason for the issue?

     
  • In reply to Michael Nährig:

    Its possible if you have IPSEC s2s vpn's that are flapping. 

    Go to console and run set vpn conn-remove-tunnel-up disable if you do and report back if the issue is present afterwards. 

  • In reply to MasterRoshi:

    ok, i'll give this a try. in the console 4. Device Console 

    i will give you an answer.

  • In reply to Michael Nährig:

    :/

    until a few minutes ago I was so happy and thought the problem is resolved but now again connection error onenote. After a VPN reconnect, the problem no longer exists for a long time but is not resolved. The last VPN reconnect was for 6 hours today.