This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 VPN-Client L2TP-IPSEC

Wolfram Plettscher over 2 years ago

Hi all,

I have a VPN Server running

https://hub.docker.com/r/hwdsl2/ipsec-vpn-server

All works fine connecting with another VPN-Client (e.g. MAC).

I want my UTM9 to act as such VPN Client. So I configured Site2Site VPN L2TP-over-ipsec.

On UTM9 logs all looks fine (or not?)

2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #1: sending XAUTH ack

2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #1: sent XAUTH ack, established

2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #2: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}

2021:10:27-14:21:59 sophos pluto[12796]: "S_HE RS1" #3: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}

2021:10:27-14:21:59 sophos pluto[12796]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="HE RS1" address="192.168.1.2" local_net="172.26.0.0/16" remote_net="172.17.0.0/16"

2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #2: sent QI2, IPsec SA established {ESP=>0xa6b4f7b7 <0xc4a0baad NATOA=0.0.0.0 DPD}

2021:10:27-14:22:00 sophos pluto[12796]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="HE RS1" address="192.168.1.2" local_net="172.26.0.0/16" remote_net="192.168.42.0/24"

2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #3: sent QI2, IPsec SA established {ESP=>0xbb43146a <0xe43d4f5c NATOA=0.0.0.0 DPD}

2021:10:27-14:22:00 sophos pluto[12796]: "S_HE RS1" #3: retransmitting in response to duplicate packet; already STATE_QUICK_I2

Sophos config screen also shows connection established.

On the host site there is no log entries showing a connection is trying to establish / established / failed. Nothing.
In contrast by connecting a MAC IPsec Client we see the logs progressing.

Any idea why the Sophos cannot establish a full tunnel? Is Site2Site VPN the right place to configure? I have not seen any attempt to run Sophos UTM9 as IPSec client.

Thanks,

Wolfram

This thread was automatically locked due to age.

Top Replies

Wolfram Plettscher over 2 years ago in reply to Wolfram Plettscher +1

Hi Bob, this is a standard L2TP/IPsec server as provided by the referenced docker image. No further adjustments made. As I couldn't get forward with the solution implemented within sophos, I decided…

Parents

0 BAlfson over 2 years ago

Hallo Wolfram,

You might want to change the title of your post as it's not possible for the UTM to be a client connecting to an L2TP/IPsec server.

Please insert pictures of the Edits of your IPsec Connection and Remote Gateway.

I saw IKEv2 mentioned on the page you link to above - UTM only does IKEv1, not IKEv2.

Cheers - Bob
PS Since you've posted in English, I'll move this thread to the VPN forum.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Wolfram Plettscher over 2 years ago in reply to BAlfson

Hi Bob,

is it for sure, that UTM cannot act as a IPSEC client? I need to tunnel some requests through a VPN tunnel, with the remote server already setup. IKEv1 should not cause a problem as the server (see link above) supports such.

Why is the screen misleading that VPN is set up correctly?

Hmmm, I hoped for an easy solution.

Thanks,

Wolfram
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to Wolfram Plettscher

Wolfram, it is possible to configure UTM as an IPsec "client" in Site-to-Site if the other side is "Respond only" and the local UTM is "Initiate connection." It's not possible to configure L2TP/IPsec as anything other than a server for remote access users. L2TP/IPsec and IPsec are not the same.

Please insert pictures of the Edits of your IPsec Connection, Remote Gateway and IPsec Policy. Also, the corresponding information for the other side. Confirm that the other side is using IKEv1, not IKEv2.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 2 years ago in reply to Wolfram Plettscher

Wolfram, it is possible to configure UTM as an IPsec "client" in Site-to-Site if the other side is "Respond only" and the local UTM is "Initiate connection." It's not possible to configure L2TP/IPsec as anything other than a server for remote access users. L2TP/IPsec and IPsec are not the same.

Please insert pictures of the Edits of your IPsec Connection, Remote Gateway and IPsec Policy. Also, the corresponding information for the other side. Confirm that the other side is using IKEv1, not IKEv2.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data