Configure Sophos UTM SG-210 with rules to allow traffic L2TP/ipsec up to Microsoft VPN server:RRAS installed

Hello Jean,

Thank you for contacting the Sophos Community!

I think the UTM might be intercepting the L2TP/IPSec connection.

What happens if you disable the L2TP over IPsec in the UTM and try to connect to the server?

Regards,

Hello Emanuel,

Thanks for your answer.

I thought like your suggestion.

I have tried to disable it but it doesn't work neither.

Regards,

Jean-François

Hello Jean,

Thank you for the follow up!

Do you see anything in the packetfilter.log? 

If you a tcpdump on port 1701, when you try to connect, do you see the UTM sending the 1701 down to your L2TP server?

# tcpdump -eni any port 1701

Regards,

Salut Jean-François and welcome to the UTM Community!

I'm a visual-tactile learner, so I would need to see a diagram with IPs noted to be able to have a better guess at your issue.  My first thought relates to IPsec which doesn't like being behind a NAT.  You would look at the IPsec logs in the UTM and Azure to find evidence of that.

Cheers - Bob

Dear Emmanuel,

Sorry for the delay of my answer.

Here are what I see when launching the connection:

and..

0 packet captured with these DNAT rules:

Regards,

Jean-François

Salut Bob,

I let you check also my answer to Emmanuel about that.

Regards,

Jean-François

Et bien, Jean-François, it's what I suspected.  IPsec doesn't like NAT.  In order to help you solve this problem, please show a diagram (a photo of hand-drawn works).  Include IPs.  Also, show a picture of the Edit of the DNAT rule.

It's entirely possible that there's no solution with L2TP/IPsec on the WinServer.  Have you considered making the UTM the L2TP/IPsec remote access server?

Cheers - Bob

Hello Bob,

Here are various items requested:

These steps followed to implement this solution:

https://www.wintips.org/how-to-setup-vpn-server-2016-with-a-custom-ipsec-for-l2tp-ikev2/#step-6

About your last question I have mentioned in my initial request:

"And we have implemented a Microsoft VPN server with Remote Routing Access Role in order to use Microsoft  Azure MFA NPS extension fro RADIUS.

--> FYI Radius Test from the FW doesn't work anymore once NPS Extension for MFA installed on the Radius server"

So we have  the UTM running fine with the L2TP/IPsec remote access server built-in but incompatibility issue when Azure MFA NPS installed and Microsoft recommend their own solution to implement this feature:

 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

Regards.

Jean-François

Do I understand correctly that it's an instance in Azure that's trying to connect with L2TP/IPsec to your Winserver?

What do you see in the Winserver IPsec log when the connection attempt fails?  Do you see any related drops in either the Intrusion Prevention (anti UDP Flooding could be an issue) or Firewall logs in the UTM?

Cheers - Bob

PS See #5 in Rulz (last updated 2019-04-17).

There isn't any instance from Azure trying to connect to this VPN: just a Windows client configured as described in the link above

Windows VPN Server logs: only port 500 and 4500 not 1701 L2TP as it it already blocked in the FW

no drops reported either in Intrusion Prevention or Firewall logs

Jean-François