Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Always on VPN

Hello All,

 

I apologise if I have missed a specific format or information. I didn't see any specific sets of rules or required information.

 

Has anyone had success with MS Always on VPN in lieu of the in-built XG options? This is on an XG 230. I have been asked to implement this solution for my company and have the two ports for IKEv2 set along with a rule for protocol 50 just in case after much anguish. 

 

It works in the network and a port scan shows 500 and 4500 having the correct services on an open port. I setup some DNAT rules very limited. Basically just masquerading and the services for proto 50, ports 500 and 4500, also currently a reflexive rule as to be honest I'm running out of ideas. The rest of it is fairly unrestricted as I test. Any zone allowed etc. 

 

Any feedback would be greatly appreciated.

 



This thread was automatically locked due to age.
Parents Reply Children
  • Hi  

    Ok. So I checked the setting and it didn't seem to make any noticeable difference. However doing the packet trace surprised me a little. It seems to be bouncing between incoming and consuming for the status, but the strange thing is the rile ID. It should be 6, however it is showing as 0. Perhaps there is something I don't understand here, but my understanding is it should reflect the firewall rule.

    Source and destination are correct in the header.

    Thanks again for all your help. This has stumped me...

  • Hi  

    For the testing purpose, Could you please create another rule to allow all ports and verify whether it's working or not? Rule ID 0 means traffic coming from the WAN side is not able to find the specific firewall rule to move the traffic further, Please also move the firewall Rule 6 on top.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    Thanks a lot for all your assistance. I was able to find resolution this morning. After your last post I went back and looked at the rule. Setting the destination/service to the external WAN did the trick.

     

    I feel a little embarrassed after seeing this and after applying the change everything seems to be working great. 

     

    Thanks again and I hope you have a great day. :)

  • Hi  

    Thank you for your response and sharing resolution and more important the issue got resolved.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link