Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Subscribers 3 subscribers
  • Views 42795 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPsec fails when WAN port configured with private IP

JonFranco

We have an SG230 in a remote facility which we must make VPN connections to, preferably over L2TP/IPsec. The problem is that they haven't provided us with a public IP per se, instead they have given us a private IP which is 1:1 NATed in their firewall and we are able to access ours over the Internet with the "provided" public IP.

As of now it is impossible to establish the said VPN connection. I have tried setting the VPN ID with the true public IP and NAT-Traversal is enabled but with no luck.

Is the UTM incapable of setting a L2TP/IPsec VPN connection when the WAN port is configured with a private IP instead of a public one?

PD: The SSL VPN works, but we need the L2TP/IPsec for our system to work correctly.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jon,

    Are you trying to establish VPN connection over a private IP address! Public IP address needs to be configured in the end system L2TP settings, you cannot add a private IP.

    Refer: www.sophos.com/.../116034.aspx

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung,

    The end system's L2TP settings are correctly configured with the public IP, with which we are able to connect to our firewall through Internet (e.g. UTM webserver).

    The problem is that the company above our firewall re-routes that public IP in their network (1:1 NAT) so to our firewall what reaches the WAN port is a private IP.

  • 0 in reply to JonFranco

    Hi Jon,

    Take tcpdump on port 1701 and verify if any packet is captured on XG interface. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for the suggestion sachingurung.

    No packets were captured on port 1701, but I think this makes sense as it is not connected directly to the Internet (e.g.). Instead, packets are captured in ports 500 and 4500:

  • 0 in reply to JonFranco

    It's not clear to me where the L2TP/IPsec client is, but anytime you try to NAT IPsec, you are presented with the obstacle that IPsec "signs" the packets it sends with the IP of the WAN interface.  It's possible for some IPsec clients and for IPsec site-to-sites to overcome NAT, but I don't know of an IPsec client that can.

    However, Sophos added a new capability in the last year that I have not personally tested with L2TP/IPsec.  On the 'Advanced' tab of 'IPsec' (in 'Remote Access' or 'Site-to-Site'), designate the public IP as your 'VPN ID'.  If that resolves your issue, please report it back here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for your comments BAlfson.

    The client is just the built-in L2TP/IPsec VPN client of Windows 10 running on a laptop, behind a router on a remote location. I know for a fact that the problem is not the client as I can connect to my office from anywhere using the same protocol, in fact the VPN server of the office is in the same situation as the firewall here: it is behind a router and with its interface configured with a private IP... The server is just a Synology NAS, so it amazes me that a professional firewall can't perform this task.

    As I posted on my original question I have already tried setting the VPN ID with the public IP but with no luck. I'm running out of ideas... any help is appreciated.

Reply
  • 0 in reply to BAlfson

    Thanks for your comments BAlfson.

    The client is just the built-in L2TP/IPsec VPN client of Windows 10 running on a laptop, behind a router on a remote location. I know for a fact that the problem is not the client as I can connect to my office from anywhere using the same protocol, in fact the VPN server of the office is in the same situation as the firewall here: it is behind a router and with its interface configured with a private IP... The server is just a Synology NAS, so it amazes me that a professional firewall can't perform this task.

    As I posted on my original question I have already tried setting the VPN ID with the public IP but with no luck. I'm running out of ideas... any help is appreciated.

Children
No Data
Unfiltered HTML