Can't get remote network

I just started trying to deploy the new Sophos Connect client and went through the directions. It will connect and I get an IP but the remote network shows up as 0.0.0.0

Of course, I can't access any devices on the remote end. Anything else I should check? This is a brand new XG install with all the defaults. All I did was create a user and enable Sophos Connect. 

  • Hello Matthew,

     

    Yes you need to configure the firewall rules to allow traffic from VPN to LAN and LAN to VPN zones. After you create this firewall rule you will be able to access your internal hosts. 

     

    Please let us know if this works for you.

    Ramesh

  • In reply to rmk_2018:

    Still no dice. I had already created a VPN to LAN rule but didn't have a LAN to VPN. 

    I added the following rules but still get no communication through the VPN client. 

    Further, I have also tried SSL and L2TP VPN connections but they refuse to connect. I'm assuming the problem is definitely the firewall blocking something. 

     

  • In reply to Matthew Bradley:

    Hello Matthew,

    Got it. I think the problem you have may be related to the overlapping DHCP range for SSL VPN and Sophos Connect Client. Please verify that you are not using the same range for the two. 

    Ramesh

  • In reply to rmk_2018:

    I've verified that the SSL IP range doesn't overlap with Sophos Connect. 

    SSL VPN is a completely different private subnet. Sophos connect is 192.168.20.50 - 192.168.20.60

    DHCP range is 192.168.20.100 - 192.168.20.199

    I've also tried putting the Sophos Connect IP lease range to something within my main DHCP pool with the same results. 

    Still nothing. 

  • In reply to Matthew Bradley:

    Matthew,

     

    Please share the DHCP range for SSL VPN and the DHCP range for Sophos Connect Client as configured.

    Ramesh

  • In reply to rmk_2018:

    Hello Matthew,

     

    As per your last email I see they are in the same subnet. Please make them different subnets. Once you fix that and reconnect with Sophos Connect it will be good to go.

     

    Ramesh

  • In reply to Matthew Bradley:

    Hello Matthew,

     

    As per your last email I see they are in the same subnet. Please make them different subnets. Once you fix that and reconnect with Sophos Connect it will be good to go.

     

    Ramesh

  • In reply to rmk_2018:

    Ugh, now after changing the IP range on the SSL lease (just to make sure they didn't overlap), I'm getting the following error. I tried on a couple machines so I'm not sure what else could have changed. 

  • In reply to Matthew Bradley:

    Hello Matthew,

    Sorry you hit upon another problem. Please see this post to get this problem resolved.

    https://community.sophos.com/products/xg-firewall/f/sophos-connect/111782/17-5-3-mr3---creating-an-ipsec-connection-damages-the-configuration-of-the-sophos-connect-server

     

    Also this bug has been fixed in the next version of Sophos Connect 1.3. So for now you have to use this work around. Change the tgb file or scx file and import the connection file again. It will work.

     

    Please let us know.

    Ramesh

  • In reply to rmk_2018:

    Ok, that fixed that issue at least. However now I'm back to the original problem of not getting a remote network still. I made sure no IP ranges were overlapping and even used a completely different subnet this time. 

     

  • In reply to Matthew Bradley:

    further, I'm getting firewall denied in the log from my public IP to the public IP of the Sophos client. 

     

  • In reply to Matthew Bradley:

    Hello Matthew,

     

    Sorry for the delay. If the policy is configured for tunnel all then you need to add a firewall rule from VPN to WAN.

     

     

    If you do not want to have a tunnel all policy then use Sophos Connect Admin and configure a split tunnel policy. In this case you will not need the VPN to WAN rule.

     

    Please let me know if this works for you after you give that a try.

     

    Thank you,

    Ramesh

  • In reply to Matthew Bradley:

    what's in the tgb or scx file you're importing into the client?

  • In reply to Matthew Bradley:

    I'm posting this for the benefit of anyone that has this problem, connected via Sophos Connect with no remote network access.

    All the setup info I've found focuses on VPN>Sophos Connect client settings, only discussing firewall rules for WAN access due to default 'Tunnel all' configuration with Sophos Connect. (No mention of any other firewall rules, Host and services objects or where the mystery users that we select come from or how to create them if they don't exist.... grrrrr). 

    As I have two Site to Site IPSec VPNs up and working, I'm a little familiar with the process of making them work so........ This is what I did to make Sophos Connect work with the XG 115 and actually access the remote network.

    1. I followed the setup info provided from Sophos for VPN>Sophos Connect client (Assigned an IP range on a completely different private subnet from any other network in my topology, just like I would for a remote site). Downloaded Sophos Connect client installer and exported the connection .tgb file.

    2. Loaded Sophos Connect on the target laptop. Imported the .tgb connection file (machine was off-site, simulating a hotel room somewhere). 

         a. Sophos Connect would connect to the XG but no access from there. I could ping the remote network gateway IP but nothing else on the remote network. Not sure about WAN as I did not set up a firewall rule for that (So the documentation is correct, I was able to establish a connection using those instructions. I just couldn't do anything with it except ping the gateway). 

    3. Here is where I departed from Sophos' documentation regarding Sophos Connect setup.

         a. Utilizing my experience setting up Site to Site IPSec VPN connections, I added an IP range entry in Hosts and services>IP host for the IP range entered previously in VPN<Sophos Connect client. Named it something like Sophos_Connect. 

         b. I added this host to my existing Firewall>Traffic to Internal Zones>Outbound VPN Traffic (and Inbound VPN Traffic) rules that I created when setting up the Site to Site VPNs. Specifically, I added it to Destination Networks (for Outbound) and Source Networks (for Inbound).

    4. Like freaking magic, the Sophos Connect client machine was now able to ping and access resources on the remote network. I now had RDP access, which was my goal.