This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot access HTTP via SSL VPN but can via IPSec

I have two sites, one a SG215 and one a SG230, both running firmware 9.603-1. If I connect via a IPSec VPN, everything works fine but the link is really slow. If I connect via a SSL VPN everything works fine except I cannot access HTTP sites on the remote site. Speed is a lot better, but for some reason access HTTP is timing out. I've tried a bunch of tweaks and nothing seems to work. Very weird, hoping someone has some ideas.

This thread was automatically locked due to age.

0 Jaydeep over 4 years ago

Hi Shawn Hartford

Do you see any block page or error while accessing the HTTP Pages from the remote site? Also, make sure you've added correct Local and Remote Networks in the configuration. The other thing, when you access HTTP pages of the remote site from your site, make sure traffic does not pass through the Web Filtering. You may add the remote network in the Transparent Skip List and then create a Firewall rule to allow the traffic.

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel
0 Shawn Hartford over 4 years ago in reply to Jaydeep

I get the basic Sophos landing page that the remote site timed out, no block pages though. I know the remote and local networks are assigned properly as I can access all other resources, like RDP, files, printers, etc. betweem both sites.

I'll look into the Web Filtering, that may be it. I'll add the remote network in each others Skip List and see if that helps.

What firewall rule though would I make? I've created a VPN connection on each side with the option to auto create the firewall rules, which I assume allows all traffic from the remote network? What additional firewall rules might I need?

Thanks for the ideas!

Shawn
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to Shawn Hartford

Hi Shawn and welcome to the UTM Community!

The automatic rules should be fine.

In fact, properly configured, IPsec should be faster than the SSL VPN. If you want help with that, please open a thread in the VPN forum.

Chees - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Jason Klein over 4 years ago in reply to BAlfson

True,

if i remember correctly just to make an estimate, you can double the amount of reccomended SSL VPNs to get the round about amount of ipsec VPNs you could do right?

Given that IPsec needs to be faster than SSL otherwise the conclusion above would work.

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel
0 Shawn Hartford over 4 years ago in reply to BAlfson

Thanks Bob,

I will hopefully be able to test the SSL tonight and report back. The reason we moved to SSL was because of issues with IPSec which defied logic. :) I'll post though in the VPN Forum about the IPSec issue and see if anyone has any ideas on what I was seeing.

Shawn
Cancel
Vote Up 0 Vote Down

Cancel
0 Shawn Hartford over 4 years ago

Updates.

Checked the SG215, it already had the remote networks in the Transparent Mode skiplists.

Was not on the SG230. Added them to the SG230. Reconnected the SSL VPN. Now, nothing routes between the VPN. No traffic in either direction.

Ok, only thing changed were the skip lists on the 230. Removed them. Reconnected the SSL VPN. Traffic running as normally. I test the HTTPS access and it is working fine now. I can't figure out why or how. I added the remote networks to the 230, nothing worked, removed them, everything working again and the HTTPS access is working fine. I've disconnected and reconnected the SSL VPN to make sure and everything is now working fine...

That makes no sense to me...
Cancel
Vote Up 0 Vote Down

Cancel