After establishing the connection between XG Firewall version 17.5.1 MR1 through Sophos Connect, communication from the server installed behind the router to port udp/161 on the remote computer is impossible. Changing the VPN client to another one, for example to the Cyberoam VPN SSL or SecurePoint SLL VPN causes the immediate return of communication via udp. For all three tests this remote computer received IP from the same subnet and snmpwalk from the same server was used. Could this be a Sophos Connect error?
Hello Michal,
Without additional information it is hard to pinpoint the exact cause of the problem you are having with Sophos Connect Client. What is the policy configuration? It is a tunnel all policy or a split tunnel policy? If it is a split tunnel policy check if the destination network includes the network where the server is located. There is nothing in Sophos Connect that will specifically block communication via UDP/161.
Please let me know
Ramesh
Thank you for your response. This is tunnel policy with full access to all private addresses behind the router.
{ "name": "IT", "managed": false, "version": 1, "gateway": "a.b.c.d", "vip": "0.0.0.0", "auto_connect": { "name": "10.77.77.254", "required": false, "enabled": true }, "proposals": "aes256-sha2_256-modp1024", "dpd_delay": 60, "rekey_time": 15300, "start_action": "none", "local_auth": { "psk": { "id": "0.0.0.0" }, "xauth": { "can_save": true }, "otp": false }, "remote_auth": { "psk": { "id": "%any", "secret": "efgh" }, "otp": false }, "child": { "rekey_time": 3060, "remote_ts": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/17", "52.5.76.173/32" ] }}
However, it looks like the problem lies somewhere else. After establishing VPN tunnel through Sophos Connect, I get unexpectedly such a gate: 169.254.128.128.
IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.222 25 10.0.0.0 255.0.0.0 169.254.128.128 10.0.101.200 45 10.0.101.200 255.255.255.255 On-link 10.0.101.200 291 52.5.76.173 255.255.255.255 169.254.128.128 10.0.101.200 45 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 172.16.0.0 255.240.0.0 169.254.128.128 10.0.101.200 45 192.168.0.0 255.255.128.0 169.254.128.128 10.0.101.200 45 192.168.137.0 255.255.255.0 On-link 192.168.137.1 311 192.168.137.1 255.255.255.255 On-link 192.168.137.1 311 192.168.137.255 255.255.255.255 On-link 192.168.137.1 311 192.168.178.0 255.255.255.0 On-link 192.168.178.222 281 192.168.178.222 255.255.255.255 On-link 192.168.178.222 281 192.168.178.255 255.255.255.255 On-link 192.168.178.222 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 192.168.178.222 281 224.0.0.0 240.0.0.0 On-link 192.168.137.1 311 224.0.0.0 240.0.0.0 On-link 10.0.101.200 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.178.222 281 255.255.255.255 255.255.255.255 On-link 192.168.137.1 311 255.255.255.255 255.255.255.255 On-link 10.0.101.200 291===========================================================================
Meanwhile, all interfaces on the router have either a fixed IP address or are disabled. I do not have any virtual interfaces or bridges configured. So from where did the VPN server pick up such address? From which router interface?
That IP address is the WAN IP address of the gateway you are connecting to. You will find the defined gateway from this attribute "gateway": in the policy. Please let me know if you have any questions on this.