What is correct Policy for Mac OS X VPN ?

Question

I'm trying to prepare my SF box for remote access. I successfully configured it for SSL VPN (OpenVPN) and surprisingly Cisco IPSec (on iOS 9 device). But I wan't my Mac to connect without OpenVPN using either L2TP or IPSec options. 
 Unfortunately I can't figure out what policy should be chosen for Apple OS X 10.11 VPN client (it is racoon based). I'm geting: "EST-P1: System did not accept any proposal received." in both "IPSec" and "L2TP" SF VPN modes. 
 Anyone succeeded connecting OS X to SF XG ?

MarkJohnson-Barbier · Accepted Answer

Slawek - I think I found something that will help: kb.cyberoam.com/default.asp . There is a VPN configuration guide for OS X: http://kb.cyberoam.com/default.asp?SID=&Lang=1&id=2914 and a .pdf available for download with instructions. The guide is for a different gui, but the steps are very similar to XG. I was at a location where I couldn't use the Cisco VPN config I listed below, so I tried out an L2TP configuration. I was continually getting an error that no active connection is defined ... it was as if I hadn't defined a connection in XG. The instructions on the cyberoam site show that I have to go to System > VPN > L2TP and click the red dot under "active" ... it was not obvious to me in the GUI, but I clicked it and the dot turned green. I assume that means that there is now an active connection defined. I tried the connection and it now works with L2TP from OS X 10.11.2 with the built-in VPN client. 
 
 *suggestion for Sophos* -> modify the GUI under System > VPN > L2TP to make it more obvious that the red dot is something that needs to be clicked to enable the connection. As it is now, it appears to be a status light rather than an enable button to me.

DMR188 · Answer

Hello, I am actually writing this connected via L2TP on my Macbook back to our XG at the Office. I think one thing that might be confusing (It confused me at first) is not to set it up on the "IPSEC" section. Setup was pretty easy once you figure out where you looking. 
 
Its kinda a 2 step process (Might be a nice feature in the future just to combine these screens for L2TP). 
 
Go to Setting/VPN/L2TP Settings 
-Enable L2TP 
-Assign From IP - Choose a random block of IPs not in any of your regular networks 
- Choose your DNS Servers 
- Before hitting Apply at the Bottom - Click on the button next to it "Add Members" and choose the users you want to be able to use L2TP 
-Apply

Then Go To Setting/VPN/L2TP Connections 
- Add 
- Put in any name i.e "VPN_Client" 
- Policy = DefaultL2TP 
- Action = Respond Only 
-Authentication Type - (I used Pre-Shared Key for simplicity) 
- Local WAN Port - I only have one so it was auto selected to my WAN Interface 
- Remote Host = * 
- Nat Traversal = Enabled 
- Remote LAN Network = I chose Any, but you can lock that down more by choosing individual networks if you like 
- Remote ID = Leave as default - Select Remote ID 
- Local Port = 1701 
- Remote Port = * 
-Save 
- After saving, click the little red dot under Active and it should go green (This is kinda a confusing feature) 
 
From there, just make sure you add a Firewall rule to allow Outbound traffic from the VPN Zone. 
 
Let me know if you need help setting up the Mac Client side. If your good there, just make sure to go into Advanced of your VPN settings (Assuming your using the Native OSX builtin client) and click the box to "Send all traffic over VPN Connection" (I think this is a Mac issue not being able to split tunnel?) 
 
Thanks

MarkJohnson-Barbier · Answer

I had a little time this morning so I swapped out my UTM9 with the XG running on a demo license. I was able to successfully connect from OSX using the built-in VPN client (under OSX 10.11.2 beta 15C48a El Capitan).

Here's a summary of what I did ... I hope I get everything:
XG Configuration:
> System > VPN > Cisco VPN Client
General Settings
- Enable
- <set port to your external interface>
- Auth Type - preshared Key (I used that for simplicity ... I'll try it with certificates if I have need in the future)
- Local ID - <blank>
- Remote ID - <blank>
- Allowed User <add your user account created at > System > Authentication > Users (I expected an option to add a group such as "open group" here but I didn't get that option ... maybe this is on the list for Sophos to add in a future version (hint hint))
Client Information
- Name: <enter the host name of your Mac> (I'm guessing it will want a host name without special characters ... if your mac is named "Slawek's Macbook Pro" or something like that consider changing your host name to a single word)
- Assign IP from: <enter a new subnet that doesn't exist on your XG> (I used 10.40.40.100 - 10.40.40.150)
- Allow Leasing: <do not select> (unless you are also using a separate radius server)
- DNS Server: <enter the IP address of the inside/LAN interface of your XG> (or it will probably work with another internal dns server, but if you use a separate dns server you'll need to make sure you have a firewall policy that allows traffic)
Advanced Settings:
- Set a time here for auto-disconnect. I left it blank for testing, but something like 120 should be a reasonable setting for most people

Policies:
> enter an appropriate policy to allow access to your LAN
> If you want to also allow internet access over the VPN tunnel, then you'll need to enable rewriting.

Rule Name: VPNAccess
Identity: On
User or Groups: Open Group (or any other group the user you created is a member of) ... (make sure the user is in this group on the users page)
Source:
- Zone: VPN
- Networks: Any (or restrict it if you'll have more than 1 VPN)
- Services: Any (or a restrict it to reduce VPN access to your network)
- Schedule: All the time (or less)
Destination
- Zone: Any (this allows access to the local network and to the internet via the VPN)
- Networks: Any (allows all local networks and internet access via the VPN)
Action:
- Accept
Routing
- Rewrite source address: on
- Use Outbound address: MASQ
- no gateways or DSCP marking unless you have redundant gateways
Malware Scanning
- I left these off for testing, but you should probably enable them to ensure your VPN web browsing is scanned
Policies
- I left these off for testing, but you should probably enter the same settings as your other policy (this probably depends on the order of your policies .. I'm not 100% sure how XG will handle the policy ordering, Enable them to be safe for use at home. For a heavily used system this might cause VPN downloads to be scanned twice ... but I haven't read to be sure how XG will handle it)
- Log: On
- Security Heartbeat (I left this off ... not sure exactly what this does yet)

You may also need to enable VPN Access on the "System > Administration > Device Access" page. Probably the setting you'll need is on the WAN row enable SSLVPN. But I haven't tested to be sure if it's needed or not. I enabled it for the test. I also enabled the user portal from the WAN because I really like the HTML5 RDP client in the sophos firewall.

Also on this page you may want to enable admin services access from the VPN zone.

OSX Client configuration:

you were right on with your post above:

Settings > Network > + (click the plus icon to add a VPN connection)

Server address: <enter your XG IP address>

Account name: <enter the name of the account you created in the XG Users page>

PAssword: <enter the password of the account from the XG users page>

Authentication Settings:

- Shared Secret: <enter the preshared key you created on the XG > System > VPN > Cisco VPN Client > General Settings page>

- Group name: <blank>

Hope this helps you with XG. After looking at it this morning I think I may leave XG in place ... really liking it so far. I just need to check to see if I can transfer my home UTM9 license onto the XG.