This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: Need to set client IP address

Hi all,

Using UTM 9 (v9.705-3) here. I recently finished setting up SSL VPN for Mac users (newer versions of macOS and iOS had issues connecting to L2TP/IPSec), and am experiencing a little issue.

When a user connects, they are not able to establish a remote desktop connection. Our workstations use the 255.255.240.0 subnet.

When using the L2TP/IPSec connection method, I am able to specify an IP address ("RAS Address") for each user that needed it. Is there a way to do this for SSL VPN?

This thread was automatically locked due to age.

Top Replies

BAlfson over 2 years ago +1

Hi Ted and welcome to the UTM Community! No, not possible for the SSL VPN. I suspect that your internal devices have active firewalls that block IPs outside your local subnet - disabling the firewall…

Parents

0 BAlfson over 2 years ago

Hi Ted and welcome to the UTM Community!

No, not possible for the SSL VPN.

I suspect that your internal devices have active firewalls that block IPs outside your local subnet - disabling the firewall on a test machine would confirm that.

If you don't want to disable firewalls on internal devices, you could simply SNAT RDP traffic from "Internal (Address)."

If you search here, you will find the modification needed to let L2TP/IPsec work with the newer versions of Apple OS.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 BAlfson over 2 years ago

Hi Ted and welcome to the UTM Community!

No, not possible for the SSL VPN.

I suspect that your internal devices have active firewalls that block IPs outside your local subnet - disabling the firewall on a test machine would confirm that.

If you don't want to disable firewalls on internal devices, you could simply SNAT RDP traffic from "Internal (Address)."

If you search here, you will find the modification needed to let L2TP/IPsec work with the newer versions of Apple OS.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up +1 Vote Down

Cancel

Children

0 tedflo1 over 2 years ago in reply to BAlfson

Hi, Bob! I was hoping you'd reply.

It was suggested here to change IPsec authentication algorithm to SHA-256, but then non-Apple devices (there are many) wouldn't be able to connect.

I finally got around to setting up SSL VPN, and I was able to remote into my work desktop, but then wasn't able to remote into a certain server.

So frustrating.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to tedflo1

Thanks, Ted. There's another thread that gives the new L2TP/IPsec Policy that also works with existing Windows devices. I just removed the Answer flag on my last post in that thread.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 tedflo1 over 2 years ago in reply to BAlfson

Could you please link me to the thread that gives the new L2TP/IPSec policy? I'd be very grateful.
Cancel
Vote Up -1 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to tedflo1

I don't know where it is. All I found was a KnowledgeBase article: https://support.sophos.com/support/s/article/KB-000036559?language=en_US and that implies that the Windows L2TP/IPsec clients need to be tickled to use SHA256. Probably possible with Win10, but maybe not Win7. Did you try Win10 L2TP/IPsec with the SHA256 Policy?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel