This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 VPN-Client L2TP-IPSEC

Hi all,

I have a VPN Server running  

https://hub.docker.com/r/hwdsl2/ipsec-vpn-server

All works fine connecting with another VPN-Client (e.g. MAC).

I want my UTM9 to act as such VPN Client. So I configured Site2Site VPN L2TP-over-ipsec.

On UTM9 logs all looks fine (or not?)

2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #1: sending XAUTH ack
2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #1: sent XAUTH ack, established
2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #2: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}
2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #3: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}
2021:10:27-14:21:59 sophos pluto[12796]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="HE RS1" address="192.168.1.2" local_net="172.26.0.0/16" remote_net="172.17.0.0/16"
2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #2: sent QI2, IPsec SA established {ESP=>0xa6b4f7b7 <0xc4a0baad NATOA=0.0.0.0 DPD}
2021:10:27-14:22:00 sophos pluto[12796]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="HE RS1" address="192.168.1.2" local_net="172.26.0.0/16" remote_net="192.168.42.0/24"
2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #3: sent QI2, IPsec SA established {ESP=>0xbb43146a <0xe43d4f5c NATOA=0.0.0.0 DPD}
2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #3: retransmitting in response to duplicate packet; already STATE_QUICK_I2
Sophos config screen also shows connection established.
On the host site there is no log entries showing a connection is trying to establish / established / failed. Nothing.
In contrast by connecting a MAC IPsec Client we see the logs progressing.
Any idea why the Sophos cannot establish a full tunnel? Is Site2Site VPN the right place to configure? I have not seen any attempt to run Sophos UTM9 as IPSec client.
Thanks,
Wolfram


This thread was automatically locked due to age.
Parents
  • Hallo Wolfram,

    You might want to change the title of your post as it's not possible for the UTM to be a client connecting to an L2TP/IPsec server.

    Please insert pictures of the Edits of your IPsec Connection and Remote Gateway.

    I saw IKEv2 mentioned on the page you link to above - UTM only does IKEv1, not IKEv2.

    Cheers - Bob
    PS Since you've posted in English, I'll move this thread to the VPN forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    is it for sure, that UTM cannot act as a IPSEC client? I need to tunnel some requests through a VPN tunnel, with the remote server already setup. IKEv1 should not cause a problem as the server (see link above) supports such. 

    Why is the screen misleading that VPN is set up correctly?

    Hmmm, I hoped for an easy solution.

    Thanks,

    Wolfram

  • Wolfram, it is possible to configure UTM as an IPsec "client" in Site-to-Site if the other side is "Respond only" and the local UTM is "Initiate connection."  It's not possible to configure L2TP/IPsec as anything other than a server for remote access users.  L2TP/IPsec and IPsec are not the same.

    Please insert pictures of the Edits of your IPsec Connection, Remote Gateway and IPsec Policy.  Also, the corresponding information for the other side.  Confirm that the other side is using IKEv1, not IKEv2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Wolfram, it is possible to configure UTM as an IPsec "client" in Site-to-Site if the other side is "Respond only" and the local UTM is "Initiate connection."  It's not possible to configure L2TP/IPsec as anything other than a server for remote access users.  L2TP/IPsec and IPsec are not the same.

    Please insert pictures of the Edits of your IPsec Connection, Remote Gateway and IPsec Policy.  Also, the corresponding information for the other side.  Confirm that the other side is using IKEv1, not IKEv2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data