Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Public IP address needed in override hostname?

Hello Sophos community,

I bought a Sophos XG 106 for home use and to learn more about internet security. 

But now, I have a question about the VPN access from : https://community.sophos.com/kb/en-us/122769

I followed all steps but I was wondering what I have to type in the "override hostname" field?

Do i need to add here my public IP from my internet isp?

Cause when i try to connect with the vpn client I see this in the logs : 

Wed Dec 18 12:07:12 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
Wed Dec 18 12:07:12 2019 MANAGEMENT: >STATE:1576667232,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:22 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:27 2019 MANAGEMENT: >STATE:1576667247,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:37 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:42 2019 MANAGEMENT: >STATE:1576667262,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:52 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:57 2019 MANAGEMENT: >STATE:1576667277,TCP_CONNECT,,,,,,

So I can't seem to connect to my firewall through vpn, but i have no clue what's wrong with my current config.

Thanks a lot

regards

Frederiek



This thread was automatically locked due to age.
Parents Reply Children
  • I mean this firewall rule like described on the KB

     

  • FormerMember
    0 FormerMember in reply to Frederiek Pascal

    Hi Frederiek Pascal,

    You have to forward port 8443 from your ISP device to firewall's WAN interface IP address. By default port 8443 is open on firewall if you have SSL VPN remote VPN configured. 

    In your case the firewall is behind ISP modem and has no direct access to the internet so you have to follow that extra step. 

    Thanks,

  • thanks for your answer!

    which extra step do you mean?

    My configuration is an ISP modem (where the router function is disabled), than my sophos and than my access points for wifi.

  • 84.197.138.2:8443 port is open

    still i got this error :

     

    Thu Dec 19 09:10:55 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Thu Dec 19 09:10:55 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Thu Dec 19 09:10:55 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Thu Dec 19 09:10:55 2019 Need hold release from management interface, waiting...
    Thu Dec 19 09:10:56 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'state on'
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'log all on'
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'hold off'
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'hold release'
    Thu Dec 19 09:11:10 2019 MANAGEMENT: CMD 'username "Auth" "xxxxxxx"'
    Thu Dec 19 09:11:10 2019 MANAGEMENT: CMD 'password [...]'
    Thu Dec 19 09:11:10 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Thu Dec 19 09:11:10 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
    Thu Dec 19 09:11:10 2019 MANAGEMENT: >STATE:1576743070,TCP_CONNECT,,,,,,
    Thu Dec 19 09:11:20 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Thu Dec 19 09:11:25 2019 MANAGEMENT: >STATE:1576743085,TCP_CONNECT,,,,,,
    Thu Dec 19 09:11:35 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Thu Dec 19 09:11:40 2019 MANAGEMENT: >STATE:1576743100,TCP_CONNECT,,,,,,
    Thu Dec 19 09:11:50 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Thu Dec 19 09:11:55 2019 MANAGEMENT: >STATE:1576743115,TCP_CONNECT,,,,,,
    Thu Dec 19 09:12:05 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.

     

    anybody? :D 

  • Is the ip of subnet ok? 

    these are my dhcp settings btw 

     

    and the vpn firewall rule is on top

     

  • Hi,

     

    First, is your ISP router in bridge? Are you authentication with XG? If it isn't, then you will need to create a DMZ zone to your XG, or port foward to it, or if Yes then see below.

     

    Your configuration seems fine, just remember to do this before:

    1) If there's any need, Allow VPN access to WAN on the Rules.

    2) Since It's home usage, use a domain as hostname instead of IP, you can even use Sophos DDNS for this.

    3) Change the IPV4 Lease Range for something more sane.

    4) In SSL VPN don't forget to put the XG or your DNS server IP in the settings.

    5) There's no need to open any port in the Firewall Rules, It open automaticaly when you create a SSL VPN Server.

     

    And at last, the error your getting, "The system tried to join a drive to a directory on a joined drive." Is known in Sophos UTM, some people had lucky changing the SSL VPN port.

    Also you can use UDP instead of TCP if you need a bit more throughput.

     

    After you connect to the VPN, don't forget to enable anything that you find necessary for it, such as allow the use of Web Proxy, DNS, or authentication methods in Administration => Device Access.

     

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • FormerMember
    0 FormerMember in reply to Frederiek Pascal

    Hi Frederiek Pascal,

    You would have to forward 8443 port from your ISP equipment to WAN interface of the firewall. 

    Thanks,

     

  • This already done

    84.197.138.2:8443 port is open

    still not working.... 

  • I did all what you asked and still it's not working, i got this error : 

     

    Sun Dec 22 13:24:27 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Sun Dec 22 13:24:27 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Sun Dec 22 13:24:27 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun Dec 22 13:24:27 2019 Need hold release from management interface, waiting...
    Sun Dec 22 13:24:27 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'state on'
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'log all on'
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'hold off'
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'hold release'
    Sun Dec 22 13:24:43 2019 MANAGEMENT: CMD 'username "Auth" "frederiekpascal"'
    Sun Dec 22 13:24:43 2019 MANAGEMENT: CMD 'password [...]'
    Sun Dec 22 13:24:43 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun Dec 22 13:24:43 2019 MANAGEMENT: >STATE:1577017483,RESOLVE,,,,,,
    Sun Dec 22 13:24:43 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
    Sun Dec 22 13:24:43 2019 MANAGEMENT: >STATE:1577017483,TCP_CONNECT,,,,,,
    Sun Dec 22 13:24:53 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Sun Dec 22 13:24:58 2019 MANAGEMENT: >STATE:1577017498,RESOLVE,,,,,,
    Sun Dec 22 13:24:58 2019 MANAGEMENT: >STATE:1577017498,TCP_CONNECT,,,,,,

     

    I do have a question about something which is not clear for me.

     

    In the KB they mention this : 

     

    Defining local subnet and remote SSL VPN range

    Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall.

     

    My question, the subnet you have to define, is that the current subnet you are using on your network? 

    I mean my ip is 192.168.0.66 at this moment, so the subnet is have to add in this section is 192.168.0.0?