Bug Report - SSL VPN global setting "IPv4 lease range" start IP is now the network IP

I also had Remote access SSL VPN setup using OpenVPN since v17. It worked on v18 as well but after upgrading to v19 EAP, I can still connect using OpenVPN but I can’t access anything on my network. I haven’t changed any settings with SSL VPN but I double checked everything just to make sure it’s still the same and everything looks correct. In the logs, I can see I’m connecting/authenticating successfully when I connect using OpenVPN, but that’s it.

Update: Figured out what my issue was. In v17 (or maybe v18), the IP range that was assigned to remote clients use to be 10.81.234.5 to 10.81.234.55, so I had an IP range setup for that which was used in my firewall rule. I noticed that when I was connected with OpenVPN, I was being assigned an IP address outside that range. I updated the firewall to just use a IP host for the entire subnet 10.81.234.0/24, and now everything works fine.

Not sure when that changed with Sophos XG. I must have just missed it in the change logs.

I can't remember if both IPSEC and SSL Remote VPN allowed for an IP range to be specified in v18/18.5. In v19, for IPSEC you can still set a range, but for SSL you can only set the first IP address. This address becomes the server's, and SSL VPN clients get addresses starting at one more than that.

There is a issue in creation of IP Range Objects in EAP1, which will get fixed with EAP2. 

It looks like you can set the IP addresses SSL VPN will use in the CIDR notation (e.g. 10.81.234.5/24). I only have one instance of Sophos XG running for my home network so I can’t compare it to v18 but I’m fairly certain it use to specify a range from 10.81.234.5 to 10.81.234.55 as the default.

So for anyone coming from pre v19 with SSL VPN set using the default range it use to specify, you may have to update your IP host used in the firewall rule for SSL VPN.

Is there a bug list where we can see already known bugs?

I think it is not the same problem. The problem is the reuse of a value that was a range start ip for now as Network IP.

You can only specify one value, not three, so you can't have one IP for the interface/network/firewall and then a separate range for the clients. As far as I can tell, you specify the start and that will also be the interface/network/firewall IP, and clients will start at the next IP.

So if you specify 192.168.100.1, the interface will have that address and the clients will start at 192.168.100.2. At least that's how it's working for me, and it seems reasonable, though different. It would be nice to be able to specify all three, so you could, say, have the interface be 192.168.100.250 and the clients be 192.168.100.5-192.168.5.55, but...

To compare v18 and v19:

In v18 is clear to enter the start IP of the range.

In v19 is not realy clear to enter the IP of the network/subnet (like in every other form) or to enter the start IP.
Here the config parameter from exports...

v18

-<SSLTunnelAccessSettings transactionid="">
<Protocol>UDP</Protocol>
<SSLServerCertificate>xxxx SSL VPN Cert</SSLServerCertificate>
<OverrideHostName>vpn.xxxxxx.de</OverrideHostName>
<Port>1194</Port>
-<IPLeaseRange>
<StartIP>10.73.10.1</StartIP>
<EndIP>10.73.10.254</EndIP>
</IPLeaseRange>
<SubnetMask>255.255.255.0</SubnetMask>

v19

-<SSLTunnelAccessSettings transactionid="">
<Protocol>UDP</Protocol>
<SSLServerCertificate>Firewall Certificate</SSLServerCertificate>
<OverrideHostName>vpn.xxxxxxx.eu</OverrideHostName>
<Port>1194</Port>
-<IPLeaseRange>
<StartIP>192.168.117.0</StartIP>
</IPLeaseRange>
<SubnetMask>255.255.255.0</SubnetMask>

Since the value name is the same, now think i have to enter the first IP of the network.

But tunnel doesnt come up and without shell access i can't see anything. Log on GUI is empty.

Assuming we have to look into this in the next year, as most of the people are on vacation right now. 

Yes, makes perfect sense. That's what's currently happening with me, and the tunnel is up: I specify the first IP address, 192.168.60.1 -- which will be the server's -- and my laptop is getting the next IP 192.168.60.2. Tunnel comes up, and has been working reliably for weeks.

Looking at my firewall rule for VPN, I did what the tutorial shows and use the VPN Zone as source and also have a group "Remote SSL VPN" for Network, which feels redundant, but it is what it is. That IP range is 192.168.60.1 - 192.168.60.25, so the "start at .1" thing has been around since v18, when I originally configured SSL VPN.

I am still using the old exported VPN configuration on my laptop, since nothing should have changed otherwise. I switched to GCM on the XGS, which is new in v19, but the laptop picks that up without needing any configuration changes. (Which makes sense, since I'm using OpenVPN on my (Mac) laptop, and I believe Sophos is using OpenVPN in the appliance, so I'd expect negotiations to work well.)

So I'm not sure that this is a "bug". If it is a bug, I'm wondering if it's an issue with the exported VPN configuration not including the end of the IP range.

We have analysed this behaviour changes and provided detailed info @https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/f/discussions/132121/ssl-vpn-ipv4-lease-range-changes-in-sfos-v19