This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 VPN-Client L2TP-IPSEC

Hi all,

I have a VPN Server running  

https://hub.docker.com/r/hwdsl2/ipsec-vpn-server

All works fine connecting with another VPN-Client (e.g. MAC).

I want my UTM9 to act as such VPN Client. So I configured Site2Site VPN L2TP-over-ipsec.

On UTM9 logs all looks fine (or not?)

2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #1: sending XAUTH ack
2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #1: sent XAUTH ack, established
2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #2: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}
2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #3: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}
2021:10:27-14:21:59 sophos pluto[12796]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="HE RS1" address="192.168.1.2" local_net="172.26.0.0/16" remote_net="172.17.0.0/16"
2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #2: sent QI2, IPsec SA established {ESP=>0xa6b4f7b7 <0xc4a0baad NATOA=0.0.0.0 DPD}
2021:10:27-14:22:00 sophos pluto[12796]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="HE RS1" address="192.168.1.2" local_net="172.26.0.0/16" remote_net="192.168.42.0/24"
2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #3: sent QI2, IPsec SA established {ESP=>0xbb43146a <0xe43d4f5c NATOA=0.0.0.0 DPD}
2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #3: retransmitting in response to duplicate packet; already STATE_QUICK_I2
Sophos config screen also shows connection established.
On the host site there is no log entries showing a connection is trying to establish / established / failed. Nothing.
In contrast by connecting a MAC IPsec Client we see the logs progressing.
Any idea why the Sophos cannot establish a full tunnel? Is Site2Site VPN the right place to configure? I have not seen any attempt to run Sophos UTM9 as IPSec client.
Thanks,
Wolfram


This thread was automatically locked due to age.
Parents
  • Hallo Wolfram,

    You might want to change the title of your post as it's not possible for the UTM to be a client connecting to an L2TP/IPsec server.

    Please insert pictures of the Edits of your IPsec Connection and Remote Gateway.

    I saw IKEv2 mentioned on the page you link to above - UTM only does IKEv1, not IKEv2.

    Cheers - Bob
    PS Since you've posted in English, I'll move this thread to the VPN forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    is it for sure, that UTM cannot act as a IPSEC client? I need to tunnel some requests through a VPN tunnel, with the remote server already setup. IKEv1 should not cause a problem as the server (see link above) supports such. 

    Why is the screen misleading that VPN is set up correctly?

    Hmmm, I hoped for an easy solution.

    Thanks,

    Wolfram

Reply
  • Hi Bob,

    is it for sure, that UTM cannot act as a IPSEC client? I need to tunnel some requests through a VPN tunnel, with the remote server already setup. IKEv1 should not cause a problem as the server (see link above) supports such. 

    Why is the screen misleading that VPN is set up correctly?

    Hmmm, I hoped for an easy solution.

    Thanks,

    Wolfram

Children
  • Wolfram, it is possible to configure UTM as an IPsec "client" in Site-to-Site if the other side is "Respond only" and the local UTM is "Initiate connection."  It's not possible to configure L2TP/IPsec as anything other than a server for remote access users.  L2TP/IPsec and IPsec are not the same.

    Please insert pictures of the Edits of your IPsec Connection, Remote Gateway and IPsec Policy.  Also, the corresponding information for the other side.  Confirm that the other side is using IKEv1, not IKEv2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,
    attached you see the screen shots. Nothing spectacular here (yes, I am aware, the Conn is turned off on the screenshot).

    I did not change on the policies. I could not figure out the parameters, the server is using. As said: connecting with my MAC to the VPN (HE RS1) works perfectly.

    As UTM shows "SA established" I currently do not see any firewall issues.

    And yes IKEv1 is supported (and I tested again with my MAC):

    The default IPsec configuration supports:
    
    IPsec/L2TP with PSK
    IKEv1 with PSK and XAuth ("Cisco IPsec")
    IKEv2

    Thanks Wolfram

  • To my knowledge, an IPsec site-to-site cannot be configured in WebAdmin to be an L2TP/IPsec client, so I'm confused that you're using the "L2TP-over-IPsec" policy.  How is the other side configured?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    this is a standard L2TP/IPsec server as provided by the referenced docker image. No further adjustments made. As I couldn't get forward with the solution implemented within sophos, I decided to implement the client in my network. So UTM not involved anymore. And it perfectly runs my Road Warrior now.
    Anyway, thanks for your help! Appreciated.

    Wolfram