Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to use the Client Authentication Agent through an IPSec VPN tunnel

ShunzeLee

Hi All,

I have forward all traffic from branch to HQ with IPsec VPN.

Is it possible to use the Client Authentication Agent through the IPSec VPN tunnel at branch?

I have disable the LAN client authentication in branch, and enable the VPN client authentication in HQ,

but it was failed to authenticate user from branch to HQ...

 

I know UTM can do that. 

https://community.sophos.com/kb/en-us/117625

Is it possible at Sophos XG?

 

Shunze



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara
    1. I have forward all traffic from branch to HQ.
      So the magic IP should be forwarded to HQ too.

    2. The branch office use XG's Wifi too, and controlled by branch's XG.
      So the magic IP should stop at branch's XG.

    It conflicts between the them.

    Is it possible to resolve the issue?

Children
  • 0 in reply to ShunzeLee

    Hi  :

    It will not create a conflict issue as CAA use 1.2.3.4 on port 9922 while Wifi use 1.2.3.4 on port 2712.

    So packet will route correctly based on destination port binded with 1.2.3.4

    Please ensure that "Client Authentication" is on under Appliance access settings over VPN zone. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi, 

    I already do that, but it doesn't work.

     

    HQ IPsec

     

    Branch IPsec

     

    HQ

     

    Branch

     

    Although traffic to 1.2.3.4 will pass through IPsec Tunnel IP 10.81.234.6.

     

    But authentication from branch failed.

    No any log can be find on HQ's authentication log...

     

    Shunze

  • 0 in reply to ShunzeLee

    Hi  

    As updated by  ,Please update magic IP as well in tunnel subnet.

    On BO end along with 10.1.1.52/32 add 1.2.3.4/32 on local network end and vice versa on HO end and make the tunnel up and verify the status.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Are you sure??

    Magic IP for branch user should forward to HQ. 

    Branch local network add the magic IP? 

    I think you are wrong!

  • 0 in reply to ShunzeLee

    Hi  

    Yes you are correct and please ignore the last comment on adding magic IP over IPSec as that is not needed.

    I have checked setup similar to yours in my LAB and I have confirmed below details.

    BO XG IPSec SA:

    HO XG IPSec SA:



    BO XG Authentication Agent settings:

    HO XG Authentication Agent settings:


    BO XG will not forward 1.2.3.4 traffic over IPSec to HO XG as BO XG will listen traffic on port 9922. So BO will consider that request is for BO firewall it self though Authentication agent is off on all zone and further it will not take any action on that packet as we have not set authentication agent on BO.

    So to confirm more on that further I have stopped the authentication service on BO XG and checked again however iptable chains for 1.2.3.4 still remain present on BO XG with authentication service status off and due to that reason magic IP traffic will be intercepted by BO XG device only for 1.2.3.4. so CAA will not work with the setup which you would like to achieve.

    Workaround:

    I have checked the login via captive portal and it is working and user is reflecting under live user.

    Manually Access Captive portal from BO machine to check login.



    User reflected on HO with live user with BO system IP.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    I know the web portal is worked, and the STAS is worked too.

    But client want to use the CAA to restrict the way to identify.

    Only users that have the CAA agent can complete the verification.

    Other users without agent will be consider as guest, and can't access the DMZ zone in HQ.

     

    Anyway, thanks for your information.

    Shunze

Unfiltered HTML