Can't get remote network

I just started trying to deploy the new Sophos Connect client and went through the directions. It will connect and I get an IP but the remote network shows up as 0.0.0.0

Of course, I can't access any devices on the remote end. Anything else I should check? This is a brand new XG install with all the defaults. All I did was create a user and enable Sophos Connect. 

  • Hello Matthew,

     

    Yes you need to configure the firewall rules to allow traffic from VPN to LAN and LAN to VPN zones. After you create this firewall rule you will be able to access your internal hosts. 

     

    Please let us know if this works for you.

    Ramesh

  • In reply to rmk_2018:

    Still no dice. I had already created a VPN to LAN rule but didn't have a LAN to VPN. 

    I added the following rules but still get no communication through the VPN client. 

    Further, I have also tried SSL and L2TP VPN connections but they refuse to connect. I'm assuming the problem is definitely the firewall blocking something. 

     

  • In reply to Matthew Bradley:

    Hello Matthew,

    Got it. I think the problem you have may be related to the overlapping DHCP range for SSL VPN and Sophos Connect Client. Please verify that you are not using the same range for the two. 

    Ramesh

  • In reply to rmk_2018:

    I've verified that the SSL IP range doesn't overlap with Sophos Connect. 

    SSL VPN is a completely different private subnet. Sophos connect is 192.168.20.50 - 192.168.20.60

    DHCP range is 192.168.20.100 - 192.168.20.199

    I've also tried putting the Sophos Connect IP lease range to something within my main DHCP pool with the same results. 

    Still nothing. 

  • In reply to Matthew Bradley:

    Matthew,

     

    Please share the DHCP range for SSL VPN and the DHCP range for Sophos Connect Client as configured.

    Ramesh

  • In reply to rmk_2018:

    Hello Matthew,

     

    As per your last email I see they are in the same subnet. Please make them different subnets. Once you fix that and reconnect with Sophos Connect it will be good to go.

     

    Ramesh

  • In reply to Matthew Bradley:

    Hello Matthew,

     

    As per your last email I see they are in the same subnet. Please make them different subnets. Once you fix that and reconnect with Sophos Connect it will be good to go.

     

    Ramesh

  • In reply to rmk_2018:

    Ugh, now after changing the IP range on the SSL lease (just to make sure they didn't overlap), I'm getting the following error. I tried on a couple machines so I'm not sure what else could have changed. 

  • In reply to Matthew Bradley:

    Hello Matthew,

    Sorry you hit upon another problem. Please see this post to get this problem resolved.

    https://community.sophos.com/products/xg-firewall/f/sophos-connect/111782/17-5-3-mr3---creating-an-ipsec-connection-damages-the-configuration-of-the-sophos-connect-server

     

    Also this bug has been fixed in the next version of Sophos Connect 1.3. So for now you have to use this work around. Change the tgb file or scx file and import the connection file again. It will work.

     

    Please let us know.

    Ramesh

  • In reply to rmk_2018:

    Ok, that fixed that issue at least. However now I'm back to the original problem of not getting a remote network still. I made sure no IP ranges were overlapping and even used a completely different subnet this time. 

     

  • In reply to Matthew Bradley:

    further, I'm getting firewall denied in the log from my public IP to the public IP of the Sophos client. 

     

  • In reply to Matthew Bradley:

    Hello Matthew,

     

    Sorry for the delay. If the policy is configured for tunnel all then you need to add a firewall rule from VPN to WAN.

     

     

    If you do not want to have a tunnel all policy then use Sophos Connect Admin and configure a split tunnel policy. In this case you will not need the VPN to WAN rule.

     

    Please let me know if this works for you after you give that a try.

     

    Thank you,

    Ramesh

  • In reply to Matthew Bradley:

    what's in the tgb or scx file you're importing into the client?