Connection may fail because IKE UDP Port seems to be blocked

Hi,

I've upgraded to 17.5 and I am trying to use the new Sophos VPN Client and I get the above message when logging on. No connection can be created. Please help. I've tried turning off the firewall on my PC and my local router. Is there something else I need to enable on the Sophos XG?

Cheers,

Max

  • Hi,

    does your firewall rule allow IKE port 4500 out? When viewing the log viewer what rule do you see IKE failing with?

    Ian

  • I have the same issue, it seems ISP block it, did you able to solve it?

  • In reply to Khaled Maged:

    No I have not solved it. I tried using 4G connection and still no luck.

  • In reply to Max Roberts:

    scvpn.log will provide you additional information on this. Can you please post or attach that log file in here.

  • In reply to Max Roberts:

    scvpn.log will provide you additional information on this. Can you please post or attach that log file in here. You can find this file in c:\program files (x86)\sophos\connect folder on Windows and /var/log folder on the Mac if you are using Sophos Connect on Mac

  • Any luck on this? In the client log it sends the packets to x.x.x.x:500 and after about 5 attempts it gives up.

     

    I have in the firewall rule both UDP 4500 and UDP 500 to be allowed but still it is blocked. Is one of the device access check boxes needed to enable this?

     

    Log viewer shows its being blocked with no firewall rules matching it.

  • In reply to Luis Londono:

    Please post screen shot of your rule that is supposed to pass the IE connections.

    Ian

  • In reply to rfcat_vk:

    Hello Ian,

     

    It would help to troubleshoot this problem if your firewall admin can ssh to the XG device. In the main menu select option 4. There you can use tcp dump and see if you are get any IKE packets from your client after you enable the connection.

     

     tcpdump "port 500 or port 4500"

     

    Ramesh

  • In reply to rmk_2018:

    Hi Ramesh,

    I have asked for information from the various posters in this thread who are complaining about IKE not working but no-one posts the requested information.

    I know IKE works I have had equipment setup on my network in the past which required IKE and associated ports.

    Ian

  • In reply to rfcat_vk:

    Screenshot of my firewall rule. IKE services are UDP 500 and UDP 4500

     

  • In reply to rmk_2018:

    Got the following from the tcpdump. Seems it tries it but it the XG does not respond

     

    08:52:26.582436 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 76:
            0x0000:  0000 0800 4500 0038 40df 0000 8011 285a  ....E..8@.....(Z
            0x0010:  c0a8 2d0b 42a2 a126 eb2f 01f4 0024 30e6  ..-.B..&./...$0.
            0x0020:  0001 0203 0405 0607 0000 0000 0000 0000  ................
            0x0030:  0010 0400 0000 0000 0000 0000            ............
    08:52:26.582436 vxlan3.100, IN: IP x.x.x.x.60207 > x.x.x.x.500: isakmp: phase 1 I agg
    08:52:26.582436 WIFI, IN: IP x.x.x.x.60207 > x.x.x.x.500: isakmp: phase 1 I agg
    08:52:29.038232 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 252:
            0x0000:  0000 0800 4500 00e8 40e0 0000 8011 27a9  ....E...@.....'.
            0x0010:  c0a8 2d0b 42a2 a126 dfc2 01f4 00d4 efa3  ..-.B..&........
            0x0020:  4053 2a68 a845 f80f 0000 0000 0000 0000  @S*h.E..........
            0x0030:  0110 0200 0000 0000 0000 00cc 0d00 0050  ...............P
            0x0040:  0000 0001 0000 0001 0000 0044 0001 0002  ...........D....
    08:52:29.038232 vxlan3.100, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:29.038232 WIFI, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:32.030608 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 252:
            0x0000:  0000 0800 4500 00e8 40e1 0000 8011 27a8  ....E...@.....'.
            0x0010:  c0a8 2d0b 42a2 a126 dfc2 01f4 00d4 efa3  ..-.B..&........
            0x0020:  4053 2a68 a845 f80f 0000 0000 0000 0000  @S*h.E..........
            0x0030:  0110 0200 0000 0000 0000 00cc 0d00 0050  ...............P
            0x0040:  0000 0001 0000 0001 0000 0044 0001 0002  ...........D....
    08:52:32.030608 vxlan3.100, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:32.030608 WIFI, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:38.030368 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 252:
            0x0000:  0000 0800 4500 00e8 40e2 0000 8011 27a7  ....E...@.....'.
            0x0010:  c0a8 2d0b 42a2 a126 dfc2 01f4 00d4 efa3  ..-.B..&........
            0x0020:  4053 2a68 a845 f80f 0000 0000 0000 0000  @S*h.E..........
            0x0030:  0110 0200 0000 0000 0000 00cc 0d00 0050  ...............P
            0x0040:  0000 0001 0000 0001 0000 0044 0001 0002  ...........D....
    08:52:38.030368 vxlan3.100, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:38.030368 WIFI, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:50.673387 vxlan3, IN:   P b0:ca:68:7c:9e:80 ethertype Unknown (0x0065), length 472:
            0x0000:  0000 0800 4500 01c4 9905 0000 4011 c69a  ....E.......@...
            0x0010:  c0a8 3216 81c0 a50a 01f4 01f4 01b0 99a9  ..2.............
            0x0020:  03f6 c590 5fd0 4d73 0000 0000 0000 0000  ...._.Ms........
            0x0030:  2120 2208 0000 0000 0000 01a8 2200 0030  !."........."..0
            0x0040:  0000 002c 0101 0004 0300 000c 0100 000c  ...,............

  • In reply to rfcat_vk:

    , can you show your firewall configuration for IKE?

  • In reply to Luis Londono:

    Hi Luis,

    I have now been able to have a good look at your rule, it is very strange?  Where is the IKE device located, the rule implies it is internal and you are using the wrong setup for the ports, you need to reverse them.

    I had to return the device that used IKE when I retired and have since deleted the rule.

    Ian