Microsoft RRAS behind XG135 (VPN Pass-through) not working

Question

Hi, 
 
 I'm trying to setup a M$ RRAS connection to a server on the LAN behind a XG135 without success! 
 Have setup a Business application rule using the DNAT template as follows: 
 
 after having read this: https://www.reddit.com/r/sophos/comments/7gphny/vpn_passthrough/ 
 but when I try to connect using the M$ vpn client from a machine via the WAN the connection fails. 
 
 Have I missed something? 
 Any help or advice or next steps to resolve appreciated. 
 BR.

Keyur · Accepted Answer

Hi Julian Robinson

The configuration seems to be correct but you may refer the article - https://community.sophos.com/kb/en-us/122976

Please forward all relevant ports/services for IPsec and L2TP VPN in business application rule, Port numbers 4500, 500, 1701 - https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/

Regards,

Julian Robinson · Answer

Hi Keyur 
 Thanks for the steer which helped me fix this issue. 
 For completeness and the benefit of others her is what I needed to do to get it working: 
 In addition to adding GRE, ESP and L2TP in the Destination & Services -> Services window I also needed to add a custom service (which I called RRAS) as follows: 
 
 After adding the above, saving and re-testing the built-in Microsoft VPN client connects OK. 
 Thansk again for your help!

wilspin · Answer

On XG Virtual 17.5 this does not work. Tested on RRAS first made sure it was working then put XG in front. 
 First of all you do NOT need ESP, GRE or port 1723 for L2VPN, just 500, 4500 and 1701 all UDP. 
 service IKE covers the first 2 ports and l2tp the third. But first rule did not work. Then I made separate rules for each service and BOOM working. 
 port 1723 is for PPTP only and may require GRE so i would think you swap out the 2 services but i did not test.