Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access VPN IPsec - Gateway/Address in SCX/Provisioning file

Currently when you export the SCX file (or use a provisioning/pro file to automatically update the VPN configuration in the Sophos Connect client) the file's "gateway" parameter has the WAN IP of the Sophos XG firewall. Our firewall is currently behind another router, though, so the IP address being picked up is actually an internal IP address not accessible to the public. As a result, we have to update the SCX file manually to a DNS hostname that will resolve to our router's IP address. This is fine in a manual case, however we'd like to make use of provisioning files so that updates can be pulled down automatically. Is there a way to change a configuration in the XG firewall such that a certain hostname is picked up for the "gateway" property of the SCX file? In some other threads I saw that the Dynamic DNS setting could override this, but we don't use a Dynamic DNS service (the IP address of our router is static and mapped with static DNS through our domain name provider) so that is not an option.



This thread was automatically locked due to age.
Parents
  • Hi  Thank you for reaching out to the Sophos community team. Based on shared details it seems you are looking for a quite similar option with Remote access IPsec VPN which is available with Remote access SSL VPN with the setting called "Override hostname".

    Unfortunately on the GUI as of now no such settings or options are there to define the hostname to push it in an automated way in the config file of Remote access IPSec VPN. Yes, manual options are there for which you are already aware of how to use it by editing SCX or Provisioning file.

    You can submit your Feature Request using the in-product feedback in the Sophos Firewall located in the Top Menu Bar.



    You can also log a support case to raise a feature request which you can track it later with your account manager/local sales presentative or TAM.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Thanks Vishal. It's a shame that this feature isn't available, it seems like something that would an easy change.

    Two follow up questions:

    1. As far as the provisioning file goes (since you mentioned it), is there anything I can do in the provisioning file to override this? I'm assuming not since it sounds like it effectively just downloads the SCX file from the firewall?

    2. Is there any config I could edit at the console level to change the SCX file present on the firewall? I understand that any changes to the IPSEC VPN configuration would likely overwrite any manual changes made, however we don't change this often and I'd be OK with accepting that as a step needed if we made any future changes.

  • Hi   1) The provisioning file is not downloadable from XG, One needs to manually create it based on the defined template by giving a .pro extension of that file. (template details available in below help section).

    Based on the .pro file settings, the client only connects to the VPN portal and automatically imports the remote access SSL VPN (.ovpn) file corresponding to the user and the remote access IPsec (.scx) file into the Sophos Connect client.

    So, the "gateway" settings defined under "Provisioning file settings" only mean to be used to connect the VPN portal of XG to fetch the settings of the respective VPN config file.

    Once settings are fetched for remote access SSL VPN or remote access IPsec via VPN portal, Sophos connect client going to use the defined Gateway or IP settings for this respective connection as per their defined UI settings(i.e. For remote access IPsec Interface defined on XG UI under IPsec and for remote access SSL VPN all WAN interface if there is no Override hostname manually defined under SSL VPN global settings).

    Template info - https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConProvisioningFile/index.html#templates

    2) .scx file contains both general and advanced settings. Advanced settings are already manageable from the GUI itself.

    However benefit of the provisioning file is that it automatically imports any configuration changes you make later. (i.e. the way the user needs to reimport the updated SCX file to get the latest changes that will not be the case here with the provisioning file).

    Benefits are mentioned in the same help link shared above.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi Vishal. Makes sense, that's what I thought it'd do. Currently we use an SCX file and distribute it manually whenever there is an update, this is why we were hoping to switch to a provisioning file instead. However, without a way to modify the gateway value it will be a showstopper for us as the IPSEC VPN config will simply not connect without the appropriate change. I'll raise a feedback request for this.

    Is the generated SCX file stored on the firewall somewhere that the CLI console has access to? I understand that this wouldn't be officially supported, but I'm curious if the generated SCX could be modified through the CLI console manually so that when the provisioning file pulls it down it contains a modified gateway. Beyond this kind of trick, I'll have to wait for Sophos to take up this request.

  • Hello, Jeff.
    I sympathize with you, but if you allow, I'll leave my two cents as a suggestion for your case.
    To reduce this need for file configuration, you can change technology. Use SSL VPN.

    In the SSL VPN settings you have the "hostname override". In this option you replace any addressing in the file.
    Disadvantage that you can only enter one IP address or DNS.
    If there is not more than one link, you can use it this way.

    If there are two links, it is better to use the provisioning file.

    If I'm not mistaken, when you use the provisioning file for SSL VPN, it overrides the SSL VPN configuration file values to which it was set in the provisioning gateway key.

Reply
  • Hello, Jeff.
    I sympathize with you, but if you allow, I'll leave my two cents as a suggestion for your case.
    To reduce this need for file configuration, you can change technology. Use SSL VPN.

    In the SSL VPN settings you have the "hostname override". In this option you replace any addressing in the file.
    Disadvantage that you can only enter one IP address or DNS.
    If there is not more than one link, you can use it this way.

    If there are two links, it is better to use the provisioning file.

    If I'm not mistaken, when you use the provisioning file for SSL VPN, it overrides the SSL VPN configuration file values to which it was set in the provisioning gateway key.

Children
  • Hi Hugo. I appreciate your input. This was another thought that I had. Initially we had introduced the IPSEC VPN because some users were experiencing slowness and disconnect issues with the SSL VPN (might be because it was configured as tcp instead of udp) and the IPSEC VPN seemed to perform better for them. As a result now we have some users on SSL and some on IPSEC.

    We are in the process of also implementing MFA on the VPN, which has raised the need for us to change the rekey time for the IPSEC VPN as it is only around 4 hours by default. Since this will require a redeployment anyway, maybe I will use that as an opportunity to remove IPSEC and change SSL VPN to UDP via a provisioning file. Always a risky gambit if things don't go well as it could inconvenience users, but it's a risk I may have to take.