Jump to content
RESET Forums (homeservershow.com)
mattb75

Sophos UTM 9.4 VPN Configuration

Recommended Posts

mattb75

Hi all,

 

I'm looking for some help configuring a L2TP VPN server on my UTM box as for the life of me I can't get it to authenticate and it's driving me mad!!

 

I've been using the PPTP VPN option within Sophos on my iPhone and Windows 7 & 10 laptops when away from home but now iOS 10 has been released and removed support for PPTP I need to bite the bullet and move to a more secure protocol.

 

I'd already created a user account and password for each device which needed a VPN account for PPTP and reading the official Sophos L2TP over IPSec guide this should be fine for L2TP as well.

Within the Remote Access > L2TP over IPSec menu I've now created a shared secret authentication and added the user accounts to the approved users list.

 

When I try and connect the logs show the connection initiates but then fails due to an authentication failure. I've triple checked the pass codes and they are all entered correctly.

 

I've even tried creating a new VM of Sophos and doing the configuration from scratch but it still fails to connect.

 

The UTM is sitting on the DMZ of a residential router which has its firewall disabled and all traffic directed to the DMZ - it is a double NAT however, although I don't think this is the cause (PPTP worked without issue and so does HTML5 VPN however that option isn't practical for all use cases so I need the L2TP to work).

The router doesn't have VPN capabilities.

 

Has anyone managed to get this type of VPN working on Sophos and if so, could you give share your learnings to help out?

 

Cheers

Matt

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
Jason

Sophos UTM supports OpenVPN. You can install it on iOS device then login to UTM and download the client config.

 

Besides I believe OpenVPN is more secure than PPTP or L2TP, correct?

Share this post


Link to post
Share on other sites
snapper

Has anyone managed to get this type of VPN working on Sophos and if so, could you give share your learnings to help out?

 

 

Yep, been using L2TP over IPSec to my iPhone/iPad and Macbook for a few years. Works great.

 

Have you checked that the VPN Pool Network has access to the internal LAN in the Firewall section?

Share this post


Link to post
Share on other sites
mattb75

Thanks Snapper - checked my Firewall configuration and whilst I'd granted access to the user network I'd not granted access to the VPN pool for L2TP.

 

However, even after adding that it's not working.

 

I've turned on debugging and noticed something strange. Even though the user account for the VPN connection is called 'VPN-iPhone6S' when the log picks up the connection attempt its recording it firstly as 'L_VPN-Work' and then as 'D_matt' neither of which are configured within the VPN settings of my iPhone connection.

 

I've attached a snip of some of the logs highlighting this.

 

Any thoughts?

 

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: "L_for VPN-Work"[9] 188.29.165.128:3268 #10: ignoring informational payload, type IPSEC_INITIAL_CONTACT

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | info: e4 dc 30 22 62 35 41 02 d5 d2 08 35 c5 5b c5 db

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: "L_for VPN-Work"[9] 188.29.165.128:3268 #10: Peer ID is ID_IPV4_ADDR: '10.52.115.245'

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | peer CA: %none

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | L_for VPN-Work: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | D_for matt to Internal (Network)-1: no match (id: no, auth: no, trust: no, request: ok, prio: 2048)

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | D_for matt to Internal (Network)-0: no match (id: no, auth: no, trust: no, request: ok, prio: 2048)

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | L_for VPN-Work: full match (id: ok, auth: ok, trust: ok, request: ok, prio: 1216)

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | L_for VPN-Work: full match (id: ok, auth: ok, trust: ok, request: ok, prio: 1216)

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | offered CA: %none

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | switched from "L_for VPN-Work" to "L_for VPN-Work"

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | instantiated "L_for VPN-Work" for 188.29.165.128

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: "L_for VPN-Work"[10] 188.29.165.128:3268 #10: deleting connection "L_for VPN-Work"[9] instance with peer 188.29.165.128 {isakmp=#0/ipsec=#0}

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | certs and keys locked by 'delete_connection'

2016:09:21-18:05:35 vm-utm-1 pluto[30472]: | certs and keys unlocked by 'delete_connection'

 

 

 

 

Sent from my iPhone using Tapatalk

Hi Jason

 

Not sure UTM supports client to server OpenVPN - when I download the OpenVPN app it asks for a .ovpn file which I don't believe UTM can generate? Happy to test if you have some instructions/guide?

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
Jason

Yes, it works. I use it. Install the OpenVPN iOS client on your device. Then point your iOS web browser to the Sophos UTM user portal page and login with the user credentials of the user you wish to authorize for VPN. Upon login you'll have options to download the OpenVPN config and it will insert it into your iOS OpenVPN client. I use it frequently.

Share this post


Link to post
Share on other sites
mattb75

Yes, it works. I use it. Install the OpenVPN iOS client on your device. Then point your iOS web browser to the Sophos UTM user portal page and login with the user credentials of the user you wish to authorize for VPN. Upon login you'll have options to download the OpenVPN config and it will insert it into your iOS OpenVPN client. I use it frequently.

Thanks Jason, I hadn't enabled the SSL VPN option which is why I wasn't seeing the .ovpn download file option previously!

 

I'm still not able to connect however, it looks like a certification problem despite me downloading the relevant certs.

 

Need to do some more troubleshooting I think!

 

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
snapper

Wonder if this is an iOS 10 thing?

 

I followed the Sophos document and it just worked (and still works) with all my iOS 9 devices.

 

Do you have an iOS 9 device you can try?

Share this post


Link to post
Share on other sites
Jason

I setup Sophos UTM 9.4 OpenVPN with a brand new iPhone 7 with iOS 10 without any issue.

Share this post


Link to post
Share on other sites
mattb75

Still can't get it to work - tried from a Windows 10 PC as well by installing the SSL VPN client software.

 

The issue is "certificate verify failed" and "unable to get issuer certificate"

 

I have in the past messed around with a Root Certificate Authority for my domain and added that into the Sophos UTM as well, even when I create a new certificate within UTM and allocate that to the SSL VPN server it still looks like it's trying to find the older certificate for verification (I've cleared and downloaded the conf file several times to check it's not caching the old one).

 

Suspect I need to blow away UTM and re-install from scratch but don't really want to lose all my logs and device/user configs but hey ho....!

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
snapper

On the Definitions & Users section, Users & Groups menu, when you select the user that you are trying L2TP/IPSec, do you have that users X509 certificate selected, rather than the UTM cert?

Edited by snapper

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...