How to allow clients to authenticate on STAS over a IpSec VPN

Hi techblue

Thank you for reaching out to the community, On STAS you can verify under "Sophos Appliance" Field edit and check whether "Enable Subnet based filter" is applied or not as per the below snapshot reference 

Thanks and Regards

Hi Bharat J

I did like the snapshot I've just sent, but nothing has changed. The HO Firewall keeps picking the user IP 192.168.1.1 :/

What else should I review? 

This is really driving me crazy.

Thank you.

Hi techblue 

Please share the current firmware version running on Sophos XG 

Thanks and Regards

It's everything running well. I have my local users using STAS for many years. The STAS on AD Server gets the IP 192.168.1.1 and not the workstation IP from Branch Office. We have tried even connecting through CAA on BO, but stil HO gets IP 192.168.1.1. Sophos Firewall from BO won't appear in STAS as well.

SFOS 17.5.17 MR-17-Build837

Would suggest get this thoroughly investigated with Sophos support !! techblue

techblue between SFOS 17.5.17 MR-17-Build837 is declared EoL 30-NOV-2021* 

Hi Vivek Jagad

I'm aware of that since last year. I want to set this because the BO has only 4 computers and Sophos XGS 87 is expensive compared to Sophos XG 85. I don't want to make a high investiment in a hardware to use only for 4 computers in the branch office. Do you get it?

As I have a licensed Sophos XG 115 with verson (SFOS 19.0.0 GA-Build317) on Head Office I would like to change this scenario like I said before.

I want the Branch Office users getting internet access over IPSec VPN Tunnel from Head Office. This is happing now, however only through captive portal. If possible I'd like to make it work through CAA at least. That'll work very well for me.

Thanks & Regards

Hello techblue,

I understand. But after August 17, 2022 (this is the end of support date) you'll no longer be able to get the support assistance. 
So, just wanted to ensure you have the right information. 

And regarding the CAA, what is the error you are receiving?

I see. Thank you for the information.

In regards to CAA, I don't receiving any error. The CAA connects correctly in BO and the user appears in "Current Activties". However it doesn't get internet conection from HO. It is like the HO's firewall won't "see" this connection coming from BO. Understand me?

Does it work or should I missing some configuration?

What do I need to do so Branch Office's Firewall will send CAA user information to HO? I need to match user in the firewall rule because I have more than one web policy for the users.

Thanks & Regards.

Hey techblue, So you mean user authenticates fine it just does not get internet access right ? So the IPsec is full tunnel or limited to the LAN subnets ? And do you have a rule in place in HO VPN to WAN ?

'll share with you the settings.

This is my BO:

192.168.1.11 is my Active Directory

192.168.5.1 is my Branch Office firewall's gateway

192.168.5.20 is the workstation 

192.168.1.1= Head Office Firewall's IP

Now the Head Office settings:

STAS on Active Directory. Version 2.5.1.0

So, I've sent all the settings so you could check.

Thank you.

'll share with you the settings.

This is my BO:

192.168.1.11 is my Active Directory

192.168.5.1 is my Branch Office firewall's gateway

192.168.5.20 is the workstation 

192.168.1.1= Head Office Firewall's IP

Now the Head Office settings:

STAS on Active Directory. Version 2.5.1.0

So, I've sent all the settings so you could check.

Thank you.

hey techblue, So you do have a full IPsec tunnel as the local network mentioned is any but I do not see any FW rule "VPN to WAN" Can you create one rule and for VPN to WAN and check if the user gets internet ?

I have a VPN to WAN rule, as I showed you before:

Does it need to be also in Branch Office? 

The user gets internet access if I don't check "match known users" in the rule. If I leave FULL ACCESS with no authentication and no web policy it works fine. However, I need to redirect each user for the correct rule, so I need them to be authenticated somehow.

Thank you

On the BO it would be LAN TO VPN !! 
=================================
Then after try to ping to global DNS 8.8.8.8 and try capturing the via GUI packet capture !! 
Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
Can you share the output from both the HO and Bo so that we can learn about the FW/NAT rule it hits on both the sides !! 

Hi techblue,

As per snapshot under Sophos Appliance, you are not getting BO Sophos IP on STAS suite on general tab suspecting issue with firmware you are running as it is end of life 

You can use Sophos RED to connect to your Branch office below is the link to get details of the device : 

https://www.sophos.com/en-us/products/next-gen-firewall/tech-specs#SDRED 

Thanks and Regards

I think you didn't check the snapshots I've sent you. There is a LAN to VPN rule on Branch Office.

Package capture on BO. The workstation is pinging 8.8.8.8

On HO:

Packet capture from the host 192.168.5.20

Thank you

Apologies techblue,

Can you show us the violation status on HO screenshot 
What's causing the violation, there must be a reason if you scroll it to right...

Hi techblue 

You can apply match user on LAN-VPN rule and check 

Thanks and Regards

Where I can find it?

Thank you

Thank you Bharat J for all support.

Regards,