Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Always on VPN

Hello All,

 

I apologise if I have missed a specific format or information. I didn't see any specific sets of rules or required information.

 

Has anyone had success with MS Always on VPN in lieu of the in-built XG options? This is on an XG 230. I have been asked to implement this solution for my company and have the two ports for IKEv2 set along with a rule for protocol 50 just in case after much anguish. 

 

It works in the network and a port scan shows 500 and 4500 having the correct services on an open port. I setup some DNAT rules very limited. Basically just masquerading and the services for proto 50, ports 500 and 4500, also currently a reflexive rule as to be honest I'm running out of ideas. The rest of it is fairly unrestricted as I test. Any zone allowed etc. 

 

Any feedback would be greatly appreciated.

 



This thread was automatically locked due to age.
Parents
  • Hi  

    As per my understanding, you are trying to configure MS always-on VPN. Could you please share more details on your setup?

    Is MS VPN is behind the XG firewall and you want to forward ports through the XG firewall so that users can connect from WAN side to VPN?

    More information would help us to assist you better.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello  

    Thank you for your response.

     

    I am trying to forward the ports to the service. It is behind one of the XG. Here is a view of the firewall rule for it. Not much to it. 

     

    I am able to connect internally, and the external port scan appears correct. However I am given a message about the firewall/NAT settings. 

     

    I am sorry if I've missed something. If there is specific information please ask and I would be happy to add the correct information.

     

    Thank you again.

  • Hi  

    The configuration for the rule seems to be correct as per requirement.

    Could you please disable the MASQ in  VPN to LAN firewall rule and check?

    Please also try packet capture to analyze the traffic- https://community.sophos.com/kb/en-us/123189

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    Ok. So I checked the setting and it didn't seem to make any noticeable difference. However doing the packet trace surprised me a little. It seems to be bouncing between incoming and consuming for the status, but the strange thing is the rile ID. It should be 6, however it is showing as 0. Perhaps there is something I don't understand here, but my understanding is it should reflect the firewall rule.

    Source and destination are correct in the header.

    Thanks again for all your help. This has stumped me...

  • Hi  

    For the testing purpose, Could you please create another rule to allow all ports and verify whether it's working or not? Rule ID 0 means traffic coming from the WAN side is not able to find the specific firewall rule to move the traffic further, Please also move the firewall Rule 6 on top.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply Children