Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Prio Change
[bearbeitet von: LuCar Toni um 4:40 PM (GMT -7) am 23 Sep 2024]
Parents
  • Hello everyone,

    We are accessing a customer appliance via an IPSEC-S2S VPN with NAT.
    Access is made to an IP that is NATed in the tunnel on the customer side and translated in the IPSec config on the customer side.
    Nothing special, has always worked in V20. In addition, there is ACL with DST:ANY, which allows access from our SRC subnet, which is also in the tunnel.

    Now to the problem - since the V20-MR1 update I can no longer access the web admin via VPN. SSH still works.

    Does anyone have any ideas?

    Kind regards!

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Hi @keobra, Please provide the clear topology of your setup. Is it policy based IPSec or RBVPN ?

  • Hi,

    we are using policy based VPN to that customer.


    In the customer's firewall we have lets say 10.1.0.1/24 as the real interface address for the firewall, the IPsec tunnel config on the customer's firewall is using 192.168.0.0/24 as remote network, 172.16.0.0/24 as local network (with the bultin NAT function that maps the network to 10.1.0.0/24)

    On 20GA we were able to access 10.1.0.1 via SSH and WEBADMIN from the 192.168.0.0 network, since 20MR1 only SSH is working.
    Everything we tried (advanced-firewall rules for sys-traffic, activating WEBADMIN generally from the VPN zone) had no effect.

    Packet capture is showing the incoming connection and the outbound answer but the browser says "connection refused".
    In Local ACL the network 192.168.0.0/24 is allowed from VPN zone to ANY for WEBADMIN, SSH, PING,...

    Edit: system ipsec_route add net 192.168.0.0/24 brings an error as soon as press TAB.

    console> system ipsec_route add net 192.168.0.0/24
    % Error: Unknown Parameter '192.168.0.0/24'
    

    Edit2: ok whoever thought 192.168.0.0/255.255.255.0 is good notation should be ashamed... but that also doesn't solve it.
    Routing precedence is sdwan, static, vpn if that makes a difference.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Reply
  • Hi,

    we are using policy based VPN to that customer.


    In the customer's firewall we have lets say 10.1.0.1/24 as the real interface address for the firewall, the IPsec tunnel config on the customer's firewall is using 192.168.0.0/24 as remote network, 172.16.0.0/24 as local network (with the bultin NAT function that maps the network to 10.1.0.0/24)

    On 20GA we were able to access 10.1.0.1 via SSH and WEBADMIN from the 192.168.0.0 network, since 20MR1 only SSH is working.
    Everything we tried (advanced-firewall rules for sys-traffic, activating WEBADMIN generally from the VPN zone) had no effect.

    Packet capture is showing the incoming connection and the outbound answer but the browser says "connection refused".
    In Local ACL the network 192.168.0.0/24 is allowed from VPN zone to ANY for WEBADMIN, SSH, PING,...

    Edit: system ipsec_route add net 192.168.0.0/24 brings an error as soon as press TAB.

    console> system ipsec_route add net 192.168.0.0/24
    % Error: Unknown Parameter '192.168.0.0/24'
    

    Edit2: ok whoever thought 192.168.0.0/255.255.255.0 is good notation should be ashamed... but that also doesn't solve it.
    Routing precedence is sdwan, static, vpn if that makes a difference.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Children
  • Hi  Thanks for the details;  let me put a drawing so that what you are stating vs. what is understood to us is same.

    ---172.16.0.0/24 ----SFOS1<ip1> --------------policy based ipsec tunnel-------<ip2>SFOS2------192.168.0.0/24----client

    Are you accessing SFOS1 on <ip1> from client's browser and expect to see the UI of SFOS1 accessible over IPsec tunnel? I am assuming 'customer firewall' is referred to SFOS1 and your firewall is SFOS2?

    Regarding you NAT description, it is still not clear; When you say "with the bultin NAT function that maps the network to 10.1.0.0/24" - can you please elaborate on this? Are you doing NAT on UI of IPSec tunnel config? or in the cish cli ? or in the "Rules and Policies --> NAT rule" ? is NAT being done on both SFOS1 and SFOS2? we need details on this so that we will attempt the exact setup/config  internally.

    Is <ip1> configured on SFOS1 from 10.1.0.0/24, which is used to host the tunnel?

    Let us know if you are fine to have a call over zoom to go over your configs/setup. You can DM me, we can reach out to you for further triage.