This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPsec fails when WAN port configured with private IP

We have an SG230 in a remote facility which we must make VPN connections to, preferably over L2TP/IPsec. The problem is that they haven't provided us with a public IP per se, instead they have given us a private IP which is 1:1 NATed in their firewall and we are able to access ours over the Internet with the "provided" public IP.

As of now it is impossible to establish the said VPN connection. I have tried setting the VPN ID with the true public IP and NAT-Traversal is enabled but with no luck.

Is the UTM incapable of setting a L2TP/IPsec VPN connection when the WAN port is configured with a private IP instead of a public one?

PD: The SSL VPN works, but we need the L2TP/IPsec for our system to work correctly.

This thread was automatically locked due to age.

Parents

0 sachingurung over 7 years ago

Hi Jon,

Are you trying to establish VPN connection over a private IP address! Public IP address needs to be configured in the end system L2TP settings, you cannot add a private IP.

Refer: www.sophos.com/.../116034.aspx

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JonFranco over 7 years ago in reply to sachingurung

Hi sachingurung,

The end system's L2TP settings are correctly configured with the public IP, with which we are able to connect to our firewall through Internet (e.g. UTM webserver).

The problem is that the company above our firewall re-routes that public IP in their network (1:1 NAT) so to our firewall what reaches the WAN port is a private IP.
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to JonFranco

Hi Jon,

Take tcpdump on port 1701 and verify if any packet is captured on XG interface.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JonFranco over 7 years ago in reply to sachingurung

Thanks for the suggestion sachingurung.

No packets were captured on port 1701, but I think this makes sense as it is not connected directly to the Internet (e.g.). Instead, packets are captured in ports 500 and 4500:
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to JonFranco

It's not clear to me where the L2TP/IPsec client is, but anytime you try to NAT IPsec, you are presented with the obstacle that IPsec "signs" the packets it sends with the IP of the WAN interface. It's possible for some IPsec clients and for IPsec site-to-sites to overcome NAT, but I don't know of an IPsec client that can.

However, Sophos added a new capability in the last year that I have not personally tested with L2TP/IPsec. On the 'Advanced' tab of 'IPsec' (in 'Remote Access' or 'Site-to-Site'), designate the public IP as your 'VPN ID'. If that resolves your issue, please report it back here.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 JonFranco over 7 years ago in reply to BAlfson

Thanks for your comments BAlfson.

The client is just the built-in L2TP/IPsec VPN client of Windows 10 running on a laptop, behind a router on a remote location. I know for a fact that the problem is not the client as I can connect to my office from anywhere using the same protocol, in fact the VPN server of the office is in the same situation as the firewall here: it is behind a router and with its interface configured with a private IP... The server is just a Synology NAS, so it amazes me that a professional firewall can't perform this task.

As I posted on my original question I have already tried setting the VPN ID with the public IP but with no luck. I'm running out of ideas... any help is appreciated.
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to JonFranco

Hi,

Turn on debug logs, go to Remote Access> L2TP> Debug > L2TP debugging. Post ipsec.log after enabling debug.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JonFranco over 7 years ago in reply to sachingurung

This is the resulting ipsec.log
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to JonFranco

Hi Jon,

I think you are using certificate authentication for L2TP, try using preshared key. Is the UTM in bridge mode with your enterprise console?

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JonFranco over 7 years ago in reply to sachingurung

Yes you're right, my fault. I was trying with the certificate before.

Here is the ipsec.log with the preshared key: ipsec.log
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to JonFranco

Hi Jon,

I went through the logs and did a bit of R&D with my development team. The feature is not supported and is reported in NUTML-11517. To establish a L2TP tunnel the connection must be directly terminated on the UTM.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 sachingurung over 7 years ago in reply to JonFranco

Hi Jon,

I went through the logs and did a bit of R&D with my development team. The feature is not supported and is reported in NUTML-11517. To establish a L2TP tunnel the connection must be directly terminated on the UTM.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JonFranco over 7 years ago in reply to sachingurung

Well, I hope they implement the feature eventually, we will have to look for other solutions in the meantime.

Thank you very much for all the support!
Cancel
Vote Up 0 Vote Down

Cancel
0 LeeSentell over 7 years ago in reply to sachingurung

Hello, has there been any development on UTM for this issue? We are using Cablevision's (AKA Altice) Lightpath service which demands this exact setup. The service is configured with a public-facing IP that terminates at Cablevision's network core, and there is a private-facing IP which is set in the UTM.

We also have a traditional static IP cable connection (Cablevision Optimum Business), which is another interface in the UTM.

Users can VPN over L2TP to the traditional connection, but not the Lightpath connection. A real bummer, since the Lightpath is 300/300 and the regular connection is 100/30...

Any word? TIA.
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to LeeSentell

Hi Lee,

This is a behavior in the Sophos UTM and this cannot be taken into development. You can raise it as a feature request here.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel