Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v18MR3 SophosConnect v2. Problems with IPv6 and DNS

Hello all,

thank you for reading and hopefully someone has an answer or a workaround. We have the a Problem with DNS resolution on SophosConnect VPN Clients.

If someone is connected with our vpn profile and has IPv6 enabled on the network interface sometimes the computer tries to resolve the dns requests (eg. network drives, terminalserver) via IPv6 and so the route in the users homeoffice makes the resolution. So there is no DNS at all because the Connect Clients does only establish a v4 tunnel to the firewall and the dns server given in the sophosconnect configuration.

We have used SonicWall VPN beforehand and never had a problem with such errors.

Thank you for every reply and Information I get!

Friendly regards,

D.Goese



Edited TAGs
[edited by: emmosophos at 5:14 PM (GMT -7) on 23 Sep 2022]
Parents
  • Have a look on Network on left nav bar in XG then DNS tab and see what your DNS options are set too in regards to IPv4 & IPv6?  I set mine to prefer IPv4.  Maybe the same will help you in this situation too?

    Also, don't forget XG has rules for IPv4 & IPv6 and IPv6 so if you require routing IPv6 past XG to your LAN then IPv6 rule would be required on top of IPv4 rules??  But that's only for IPv6 traffic DNS is answered according to those DNS options i mentioned above??

    JK



    img
    [edited by: john_kenny at 11:33 AM (GMT -8) on 10 Dec 2020]
Reply
  • Have a look on Network on left nav bar in XG then DNS tab and see what your DNS options are set too in regards to IPv4 & IPv6?  I set mine to prefer IPv4.  Maybe the same will help you in this situation too?

    Also, don't forget XG has rules for IPv4 & IPv6 and IPv6 so if you require routing IPv6 past XG to your LAN then IPv6 rule would be required on top of IPv4 rules??  But that's only for IPv6 traffic DNS is answered according to those DNS options i mentioned above??

    JK



    img
    [edited by: john_kenny at 11:33 AM (GMT -8) on 10 Dec 2020]
Children
  • Hello John,

    thank you for your answer. I did change the DNS query configuration setting after your reply.

    Is it so that even IPv6 packages get routed via the ipsec (sophos connect) tunnel? Or do they get send to the homeoffices router?

    Because that is what it seems, i can ping ipv4 addresses in our network and as soon as I try to ping server hostnames the ping stops.

    We do not use IPv6 in our company network, so rules for ipv6 do not exist.

    Greeting,

    D. Goese

  • Pinging from Vpn Clients will depend on whether you using Slip Tunnel VPN config or tunnelling all traffic via vpn??  I use the former and I have my internal domain name set in my Connect config.  That way to ping hosts on the LAN side of XG you would require the full FQDN as the suffix for the domain name would route the traffic in the direction of the LAN side of the XG instance??  

    also what IPs do you have set on VPN Connect tab?

    Those need to be pointing at your XG instance IP on the VPN subnet if your using XG as your forwarder or internal DNS forwarder ips if you using Domain DNS servers as forwarder? 

    Another setting you will need for XG to answer DNS / PING's is this on administration - device access: -

    Have you tried that full FQDN pinging?

    Also go over this help page without missing anything as it definitely works: -

    docs.sophos.com/.../VPNSophosConnectClient.html

    JK

  • We have an tunnel all profile and have set the ip adresses of our internal dns servers in the sophos connect tab. These DNS Servers point to external DNS Server for everything not related to our domain.

    According to the Sophos documents everything seems to be fine with our configuration.

    I can ping DNS names even without using the full domain name, thats why we use our internal dns server as dns for sophos connect.

    I can also open nslookup and type in the ip adress which gets resolved to dns, but if i type in the dns it does not get resolved.

    The error stops as soon as I disable IPv6 on the network interface of WiFi/LAN.

  • Ok so your using Tunnel default config, is your firewall rule for VPN to LAN zones setup with a valid / linked NAT rule for non MASQ source valid??  

    Remember what i said regarding Firewall rules on XG IPv4 and IPv6 have their own separate rules needed depending on what you're using. Same applies for NAT rules too so may be your IPv6 Rules are not setup right maybe clone your IPv4 rules in the IPv6 rules list??

    Sorry ive never touched anything relating to IPv6 so this might be something other than your VPN setup then??

    Also what do you mean by type it in the DNS that doesnt resolve??

    JK