This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Access from external network not working on UTM 9 VM

Hi all,

I'm new to Sophos UTM 9 in still in the learning curve. I have replaced my Forefront TMG VM with an UTM 9 VM on HyperV.
I have configured the UTM 9 to publish my Exchange 2016 environment and that all works like a charm. OWA is redirected,
mail flow send and receive is handled perfectly.

However I have one more issue to battle, VPN access from the 'outside' world. Let me explain how my network is setup so
you hopefully are able to pinpoint the issue.
The UTM 9 is not exposed directly to the Internet. The external UTM 9 network connects to my internal network in the 192.168.240.x
/24 range. The external UTM 9 network use the Cable Modem as the default gateway to connect to the Internet. The UTM 9 internal
network has the 192.168.4.x/24 subnet.
I have configured an L2TPover IPSec VPN. I can connect and use the VPN as expected from my internal network (192.168.240.x)
and reach all the servers in the UTM internal network (192.168.4.x).
However if I try to create a connection / session from the outside Internet world the connection is dropped with the following error
in the logfile:

====== snip =====
#95: cannot respond to IPsec SA request because no connection is known for 84.29.221.xxx/32===192.168.240.xx:4500[192.168.240.xx]:17/1701...84.29.175.161:4500[192.168.178.45]:17/%any==={192.168.178.45/32}
====== snip =====

Where 84.29.221.xxx is my external Internet IP Address on the Cable Modem.
192.168.240.xx is the external IP Address of the external UTM 9 network.
I have no clue what the 192.168.178.45 IP Address is or where it originates.

Any thoughts? Help would be greatly appreciated as this is the final issue to resolve and actually is a showstopper now :-(

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • Hoi Edward and welcome to the UTM Community!

    IPsec through NAT presents a problem that few remote access clients can overcome.  The easiest would be to switch to the SSL VPN if you can't put the cable modem into bridge mode to get the public IP on the UTM's External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hoi Edward and welcome to the UTM Community!

    IPsec through NAT presents a problem that few remote access clients can overcome.  The easiest would be to switch to the SSL VPN if you can't put the cable modem into bridge mode to get the public IP on the UTM's External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children