Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSec VPN access

I'm using the Home Firewall 20.0. I configured IPSec VPN using the Sophos instructional video. I used the default profile.

I'm on the road, and trying to connect to devices on my home LAN, via the VPN. Let's call the LAN subnet X.X.X.0/24. The Sophos firewall is on this subnet with IP address X.X.X.1. 

The VPN connects with no problem. While on the road, I can connect to the Sophos via the VPN, and I can ping X.X.X.1, the Sophos address on the home local LAN. But I cannot ping any other devices on that subnet. I have a firewall rule allowing all traffic from the VPN zone and the VPN IP range (the addresses leased out to the VPN clients) to access that subnet.

Why does the VPN allow remote clients to access the Sophos firewall, but not other devices on the X.X.X.0 subnet? Is there some extra step required to allow the VPN clients to pass through the firewall and connect to devices in the LAN zone?

Follow up: There seems to be a bug with the "Permitted Network Resources" field.

1. When I select a network item (X.X.X.0/24) I get the results mentioned above in this post.
2. When I select an individual IP address (X.X.X.99), it works, and I can access that single host.
3. When I try to select an IP range, it doesn't let me!

This is very bad. If I want to have access to my entire subnet, which has 200 hosts, I have to add each individual host, one at a time!



Edited TAGs
[edited by: Erick Jan at 12:42 AM (GMT -7) on 24 Apr 2024]
Parents
  •  , ip range and ip list - though it is configurable from IPSec RA page, we don't allow it to be part of Permitted network resources of IPsec RA; only ip or subnet configured will be listed; I guess you are using split tunnel ? What is the type of device that you are using as ipsec client? is it mobile phone?

    Can you paste the output of 'ipsec statusall' cli output? you should have an SA listed as below for your permitted subnet (x.x.x.0/24) to virtual ip assigned to your mobile. If you don't have an SA like this, there is no path to carry traffic from the mobile to LAN subnet.

    XGS2300_RL01_SFOS 21.0.0 EAP0-Build2794 HA-Primary# ipsec statusall | grep IPSEC
    IPSECRA-1: 66.198.16.135...%any IKEv1, dpddelay=60s
    IPSECRA-1: local: [66.198.16.135] uses pre-shared key authentication
    IPSECRA-1: remote: uses pre-shared key authentication
    IPSECRA-1: remote: uses XAuth authentication: access_server
    IPSECRA-1: child: 172.16.2.0/24 === 0.0.0.0/0 TUNNEL, dpdaction=none
    IPSECRA-1[2881]: ESTABLISHED 18 seconds ago, 66.198.16.135[66.198.16.135]...115.99.117.66[192.168.1.4]
    IPSECRA-1[2881]: Remote XAuth identity: user1
    IPSECRA-1[2881]: IKEv1 SPIs: 97ff496db8c6f8f6_i e8f43156371478f5_r*, pre-shared key reauthentication in 4 hours
    IPSECRA-1[2881]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    IPSECRA-1{5371}: INSTALLED, TUNNEL, reqid 10, ESP in UDP SPIs: c224c7ab_i c0db9892_o
    IPSECRA-1{5371}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 49 minutes
    IPSECRA-1{5371}: x.x.x.0/24 === 25.1.1.1/32

    If the SA is listed for x.x.x.0/24, if the traffic fails, send traffic (can initiate ping from ipsec RA device to one of the available ip of x.x.x0/24), capture traffic on ipsec0 interface? on advanced shell cli  use this commant - tcpdump -ni ipsec0; if the traffic is seen on ipsec0 interface, see if this is routed to LAN port of SFOS.

Reply
  •  , ip range and ip list - though it is configurable from IPSec RA page, we don't allow it to be part of Permitted network resources of IPsec RA; only ip or subnet configured will be listed; I guess you are using split tunnel ? What is the type of device that you are using as ipsec client? is it mobile phone?

    Can you paste the output of 'ipsec statusall' cli output? you should have an SA listed as below for your permitted subnet (x.x.x.0/24) to virtual ip assigned to your mobile. If you don't have an SA like this, there is no path to carry traffic from the mobile to LAN subnet.

    XGS2300_RL01_SFOS 21.0.0 EAP0-Build2794 HA-Primary# ipsec statusall | grep IPSEC
    IPSECRA-1: 66.198.16.135...%any IKEv1, dpddelay=60s
    IPSECRA-1: local: [66.198.16.135] uses pre-shared key authentication
    IPSECRA-1: remote: uses pre-shared key authentication
    IPSECRA-1: remote: uses XAuth authentication: access_server
    IPSECRA-1: child: 172.16.2.0/24 === 0.0.0.0/0 TUNNEL, dpdaction=none
    IPSECRA-1[2881]: ESTABLISHED 18 seconds ago, 66.198.16.135[66.198.16.135]...115.99.117.66[192.168.1.4]
    IPSECRA-1[2881]: Remote XAuth identity: user1
    IPSECRA-1[2881]: IKEv1 SPIs: 97ff496db8c6f8f6_i e8f43156371478f5_r*, pre-shared key reauthentication in 4 hours
    IPSECRA-1[2881]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    IPSECRA-1{5371}: INSTALLED, TUNNEL, reqid 10, ESP in UDP SPIs: c224c7ab_i c0db9892_o
    IPSECRA-1{5371}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 49 minutes
    IPSECRA-1{5371}: x.x.x.0/24 === 25.1.1.1/32

    If the SA is listed for x.x.x.0/24, if the traffic fails, send traffic (can initiate ping from ipsec RA device to one of the available ip of x.x.x0/24), capture traffic on ipsec0 interface? on advanced shell cli  use this commant - tcpdump -ni ipsec0; if the traffic is seen on ipsec0 interface, see if this is routed to LAN port of SFOS.

Children
  • I was able to solve it by changing the Network item to a bigger scope. I was trying to access devices on X.X.X.0/24 subnet, and using that subnet didn't work. But then I changed the permitted network to X.0.0.0/8, and that works. This also saves me time, because I have a few other subnets starting with X, for example X.Y.Z.0/24, and I was planning to also add them. It is easier to just have the one /8 entry.

  • Hello EastCoastUser,

    of course you can use a network item with the same network and same scope of one the other interfaces at your firewall as "permitted network resources". I always do configure this like that.

    The must be something else in your configuration causing this behaviour.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.