Always on VPN

Question

Hello All, 
 
 I apologise if I have missed a specific format or information. I didn't see any specific sets of rules or required information. 
 
 Has anyone had success with MS Always on VPN in lieu of the in-built XG options? This is on an XG 230. I have been asked to implement this solution for my company and have the two ports for IKEv2 set along with a rule for protocol 50 just in case after much anguish. 
 
 It works in the network and a port scan shows 500 and 4500 having the correct services on an open port. I setup some DNAT rules very limited. Basically just masquerading and the services for proto 50, ports 500 and 4500, also currently a reflexive rule as to be honest I'm running out of ideas. The rest of it is fairly unrestricted as I test. Any zone allowed etc. 
 
 Any feedback would be greatly appreciated.

Keyur · Accepted Answer

Hi Om3n

The configuration for the rule seems to be correct as per requirement.

Could you please disable the MASQ in VPN to LAN firewall rule and check?

Please also try packet capture to analyze the traffic- https://community.sophos.com/kb/en-us/123189

Keyur · Answer

Hi Om3n

For the testing purpose, Could you please create another rule to allow all ports and verify whether it's working or not? Rule ID 0 means traffic coming from the WAN side is not able to find the specific firewall rule to move the traffic further, Please also move the firewall Rule 6 on top.

Om3n · Answer

Hi Keyur 
 Thanks a lot for all your assistance. I was able to find resolution this morning. After your last post I went back and looked at the rule. Setting the destination/service to the external WAN did the trick. 
 
 I feel a little embarrassed after seeing this and after applying the change everything seems to be working great. 
 
 Thanks again and I hope you have a great day. :)