This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: Need to set client IP address

Hi all,

Using UTM 9 (v9.705-3) here. I recently finished setting up SSL VPN for Mac users (newer versions of macOS and iOS had issues connecting to L2TP/IPSec), and am experiencing a little issue.

When a user connects, they are not able to establish a remote desktop connection. Our workstations use the 255.255.240.0 subnet. 

When using the L2TP/IPSec connection method, I am able to specify an IP address ("RAS Address") for each user that needed it. Is there a way to do this for SSL VPN?

 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community! 

    Are you looking for an option to set static IP addresses for the SSL VPN users? If yes, you could configure it under Definition & Users > Users & Groups > User and find the option called "Use static remote access IP". 

    Use static remote access IP (optional): Select if you want to assign a static IP address for users gaining remote access instead of assigning a dynamic IP address from an IP address pool. For IPsec users behind a NAT router, it’s mandatory to use a static remote access IP address.

    Reference screenshot: 

    Thanks,

  • We have multiple methods of connecting through VPN: L2TP/IPSec and SSL. We had added SSL for macOS/iOS users. I already tried setting an RAS address/what you suggested, but that does not work.

  • Hi Ted and welcome to the UTM Community!

    No, not possible for the SSL VPN.

    I suspect that your internal devices have active firewalls that block IPs outside your local subnet - disabling the firewall on a test machine would confirm that.

    If you don't want to disable firewalls on internal devices, you could simply SNAT RDP traffic from "Internal (Address)."

    If you search here, you will find the modification needed to let L2TP/IPsec work with the newer versions of Apple OS.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi, Bob! I was hoping you'd reply. 

    It was suggested here to change IPsec authentication algorithm to SHA-256, but then non-Apple devices (there are many) wouldn't be able to connect.

    I finally got around to setting up SSL VPN, and I was able to remote into my work desktop, but then wasn't able to remote into a certain server.

    So frustrating.

  • Thanks, Ted.  There's another thread that gives the new L2TP/IPsec Policy that also works with existing Windows devices.  I just removed the Answer flag on my last post in that thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Could you please link me to the thread that gives the new L2TP/IPSec policy? I'd be very grateful.

  • I don't know where it is.  All I found was a KnowledgeBase article: https://support.sophos.com/support/s/article/KB-000036559?language=en_US and that implies that the Windows L2TP/IPsec clients need to be tickled to use SHA256.  Probably possible with Win10, but maybe not Win7.  Did you try Win10 L2TP/IPsec with the SHA256 Policy?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA