Configure Sophos UTM SG-210 with rules to allow traffic L2TP/ipsec up to Microsoft VPN server:RRAS installed

Salut Jean-François and welcome to the UTM Community!

I'm a visual-tactile learner, so I would need to see a diagram with IPs noted to be able to have a better guess at your issue.  My first thought relates to IPsec which doesn't like being behind a NAT.  You would look at the IPsec logs in the UTM and Azure to find evidence of that.

Cheers - Bob

Salut Bob,

I let you check also my answer to Emmanuel about that.

Regards,

Jean-François

Et bien, Jean-François, it's what I suspected.  IPsec doesn't like NAT.  In order to help you solve this problem, please show a diagram (a photo of hand-drawn works).  Include IPs.  Also, show a picture of the Edit of the DNAT rule.

It's entirely possible that there's no solution with L2TP/IPsec on the WinServer.  Have you considered making the UTM the L2TP/IPsec remote access server?

Cheers - Bob

Et bien, Jean-François, it's what I suspected.  IPsec doesn't like NAT.  In order to help you solve this problem, please show a diagram (a photo of hand-drawn works).  Include IPs.  Also, show a picture of the Edit of the DNAT rule.

It's entirely possible that there's no solution with L2TP/IPsec on the WinServer.  Have you considered making the UTM the L2TP/IPsec remote access server?

Cheers - Bob

Hello Bob,

Here are various items requested:

These steps followed to implement this solution:

https://www.wintips.org/how-to-setup-vpn-server-2016-with-a-custom-ipsec-for-l2tp-ikev2/#step-6

About your last question I have mentioned in my initial request:

"And we have implemented a Microsoft VPN server with Remote Routing Access Role in order to use Microsoft  Azure MFA NPS extension fro RADIUS.

--> FYI Radius Test from the FW doesn't work anymore once NPS Extension for MFA installed on the Radius server"

So we have  the UTM running fine with the L2TP/IPsec remote access server built-in but incompatibility issue when Azure MFA NPS installed and Microsoft recommend their own solution to implement this feature:

 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

Regards.

Jean-François

Do I understand correctly that it's an instance in Azure that's trying to connect with L2TP/IPsec to your Winserver?

What do you see in the Winserver IPsec log when the connection attempt fails?  Do you see any related drops in either the Intrusion Prevention (anti UDP Flooding could be an issue) or Firewall logs in the UTM?

Cheers - Bob

PS See #5 in Rulz (last updated 2019-04-17).

There isn't any instance from Azure trying to connect to this VPN: just a Windows client configured as described in the link above

Windows VPN Server logs: only port 500 and 4500 not 1701 L2TP as it it already blocked in the FW

no drops reported either in Intrusion Prevention or Firewall logs

Jean-François

Confused again, J-F.  "not 1701 L2TP as it it already blocked in the FW" - which FW where?

Cheers - Bob

Salut Jean-Francois,

don't you need to open IPsec-ESP as well?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd458955(v=ws.10)?redirectedfrom=MSDN

Philipp, Mensch, you hit the nail on the head!

Jean-François, I recommended #5 in the Rulz link above.  Rather than multiple DNATs in addition to the L2TP DNAT, try with just one that uses the "IPsec" Services Group object:

DNAT : Internet IPv4 -> IPsec -> External (WAN) [WAN-43] (Address) : to SRV-VPN-DMZ

Any better luck with that?

Cheers - Bob

FW Sophos

I thought you said there were no blocks in the logs.

Unfortunately I have  set  up a different rule with IPsec-ESP in third postion after  IKE and Nat-T--->Same issue

And if I try with a group object --> not possible

Jean-François

Bonjour Jean-Francois,

why do you want to change to destination service? You can leave this blank.

I think, then this will start to work.