This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use Duo with L2TP/iPsec or SSL with a timeout value

Hello,

We have been using L2TP/IpSec VPN for years and it has always worked great. Now we need to implement Duo MFA with our VPN. First of all i was unable to get it to work with the L2TP VPN and saw a post somewhere in this forum that said it can't be done. So i created a SSL VPN and configured my Duo Authentication Proxy and it works well. However there doesn't appear to be a way to set a timeout with the SSL VPN. (I set the timeout for my L2TP VPN on my Radius server which works well). So i opened a ticket with Sophos and finally got a reply from them that said: "I am sorry to say that "SSL VPN remote access timeout values cannot be modified at this time". You can submit the idea as a Feature Request "

So If i use Duo i can't set a timeout. I have played with the arcane OpenVPN settings on a UTM VM in my lab but can't get it to work properly. If i set the keylife then the VPN client is relentless in trying to keep the connection up and so continues to push Duo notifications until i respond.

I have been reduced to contemplating setting up RAS VPN services on a Core Windows 2016 server. I don't want to do that, and I know i will have to work through issues with Nat'ng through to the VPN, vs setting up a bridge interface. Can anyone help me with this? Does anyone have a vpn with Duo configured that has a timeout? I have stumped and frustrated.

Thank you in advance for any workable suggestions.

WRS

This thread was automatically locked due to age.

0 BAlfson over 4 years ago
I haven't played with Duo, but others here have used it successfully:

Sophos UTM: Two-factor authentication with Duo Security

Two-Factor Authentication Design Considerations

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 WRS over 4 years ago in reply to BAlfson

Thank you Bob for your suggestions. I'm afraid my post was way too wordy and misleading. I'm not having a problem with Duo. It works great. So let's forget about Duo for a minute. My real problem is finding a way to have my SSL clients disconnect after a certain amount of time. Here's an example of what my testing. I had several users connected to the SSL VPN and after business hours i actually disabled my SSL VPN Profile. This caused the connections to drop as expected. However after I re-enabled the profile all of the clients reconnected. is that by design? It seems that there is nothing i can do to set a connection disconnect or idle timeout. Even forcing them to disconnect still means they keep trying until they finally reconnect. Is there anyway to actually set the timeout to be 10 hours, and the idle timeout to be 60 minutes?

Thanks,

WRS
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to WRS

I only know the trick for disconnecting one user at a time. If you saw user jjjsmith on at 10.242.2.6 and hnimntoo at 10.242.2.16:

chroot /var/sec/chroot-openvpn
/usr/bin/ras_update.plx ssl disconnect username jjjsmith 10.242.2.6
/usr/bin/ras_update.plx ssl disconnect username hnimntoo 10.242.2.16
exit

I'm sure there's a way to set timeouts at the command line, but it hasn't been discussed here. If you have your reseller open a ticket with Sophos Support about this, please come back and share what you learn.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel