Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect with XG v18

I'm having trouble setting up sophos connect on a fresh install of XGv18. I had it working with v17.5. I get the error IKE UDP port seems blocked, no response from the gateway.

The instructions I've followed are here:

https://community.sophos.com/kb/en-us/133109

 

Assigned IP range is outside LAN IP range.

From SCVPN.log

2020-03-12 01:01:32PM [14616] dbg SophosVPN VPN state changed to connecting
2020-03-12 01:01:32PM [14616] dbg Starting tunnel (connecting)
2020-03-12 01:01:32PM [14616] dbg Connection to strongSwan has been established
2020-03-12 01:01:34PM [14616] dbg Sending notification: The IKE UDP port seems to be blocked
2020-03-12 01:01:35PM [14616] dbg Initiating connection SophosVPN
2020-03-12 01:01:35PM [12160] dbg IKE being initiated to IP address xxxx
2020-03-12 01:01:57PM [14616] err Tunnel initiate to xxxx failed: 1036 - No response from gateway: xxxx
2020-03-12 01:01:57PM [14616] dbg Unloading configuration for connection SophosVPN
2020-03-12 01:01:58PM [14616] dbg Connection to strongSwan has been closed
2020-03-12 01:01:58PM [14616] dbg SophosVPN VPN state changed to reconnecting
2020-03-12 01:01:58PM [14616] dbg Sending notification: No response from gateway: xxxx

 

Gatway IP matches the WAN IP.

 

What have I screwed up?



This thread was automatically locked due to age.
Parents
  • Could you log into the Shell (Advanced shell - 5 - 3) and perform a ' tcpdump -ni any port 500  ' 

    Reconnect and verify, there are coming packets.

    If not - something between SC and XG is blocking. 

    __________________________________________________________________________________________________________________

  • I can see packets arriving:

    15:02:26.251895 Port1_ppp, IN: IP 92.40.168.73.53177 > xxx.xxx.xxx.xxx.500: isakm
    p: phase 1 I ident                                                              
    15:02:26.254225 Port1_ppp, OUT: IP xxx.xxx.xxx.xxx.500 > 92.40.168.73.53177: isak
    mp: phase 1 R ident    

    Anything else I should check?
Reply
  • I can see packets arriving:

    15:02:26.251895 Port1_ppp, IN: IP 92.40.168.73.53177 > xxx.xxx.xxx.xxx.500: isakm
    p: phase 1 I ident                                                              
    15:02:26.254225 Port1_ppp, OUT: IP xxx.xxx.xxx.xxx.500 > 92.40.168.73.53177: isak
    mp: phase 1 R ident    

    Anything else I should check?
Children