This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN over VPN, possibly with SNAT

Hello,

I want to do an IPSEC/IKE Client-Connection to a remote network, but over an existing Site-2-Site tunnel. And I only want to route this Client via Work-Network, not everything at home. For the remote network, it should appear as if the packets are coming from the work-network, although the client is in the home network.

It's like this:

Client@Home / Home-Network (192.168.1.0, Sophos 192.168.1.254) -> S2S -> Work-Network (10.10.10.0, Sophos 10.10.10.254) -> Remote-Network (public IP 193.10.1.1, non-manageable nor managed by me)

Client@Home is doing IPSEC/IKE VPN to the public IP of the Remote-Network.

So, what I'm doing:

I have a standard static route in place, saying: For connections to 193.10.1.1, use Gateway at work (10.10.10.254).

Now I'm thinking, what do I have to put into S2S networks, both local and remote. If anything at this point. All I want to is to establish a VPN-connection, not access any networks inside the tunnel - except the ones that are already set up, like the Home-Network and Work-Network, which are already in there obviously.

I also created the back-route for the Client, I set up a static route for Home-Networks to be the 192.168.1.254, though I don't think that's needed. At this point I am trying to connect the VPN from the Client with the Remote-Network over the Sophos at work. No-go.

I tried packet capture via CLI, monitoring the internal interface of the home Sophos, I see the packets, going from the client to the remote-network public IP, and then just the 2nd packet is already: publicIP sophos@home > client@homeIP: ICMP host "remote-publicIP" unreachable.

If I remove the routing via sophos@work, then VPN connects.

Please, am I missing something obvious?

Thank you.



This thread was automatically locked due to age.
  • Hallo,

    Both Hub and Spoke Site-to-Site VPNs and How to allow remote access users to reach another site via a Site-to-Site Tunnel apply the same ideas.  Does that give you the result you were looking for?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • You said:

    • Client@Home is doing IPSEC/IKE VPN to the public IP of the Remote-Network.

    I don't see how this will work.   If it can make a tunnel-within-tunnel route at all, you are likely to have problems with MTU, latency, and debugging.

    I think what you want:

    • Client@Home is connected to Work-Network using a Client@Home VPN address.
    • Work-to-Remote tunnel allows certain work addresses to connect to certain remote addresses.
    • SNAT is used to map the Client@Home VPN Address to a (reserved) Work Address so that the Work-To-Remote tunnel will accept the packet.
    • If Client@Home is using Remote Access VPN, the SNAT rule can reference the user or group object instead of a fixed IP object, depending on your needs.

    No need for Client@Home to create a second VPN tunnel.

     

     

  • Bob,

    Hub and Spoke Site-to-Site VPNs 

    I saw that one, it didn't quite help me, as I don't have site 2 site between each site, rather only over first two, home and work, and I am connecting the thin-client from home via IPSEC/IKE to the remote gateway (public IP). My s2s seems fine, as I can well control what I access from home to work and vice versa.

    Would I need to allow the access to internet in the remote networks in the S2S setup?

    How to allow remote access users to reach another site via a Site-to-Site Tunnel 

    This looks very much same to me to the above example. Entering each others networks in the S2S settings, this time though using the RemoteSSL Pool.

  • I think what you want:

    • Client@Home is connected to Work-Network using a Client@Home VPN address.
    • Work-to-Remote tunnel allows certain work addresses to connect to certain remote addresses.
    • SNAT is used to map the Client@Home VPN Address to a (reserved) Work Address so that the Work-To-Remote tunnel will accept the packet.
    • If Client@Home is using Remote Access VPN, the SNAT rule can reference the user or group object instead of a fixed IP object, depending on your needs.

    No need for Client@Home to create a second VPN tunnel.

    The scope of what I can configure on the Client@Home is very limited.

    Client@Home obtains it's local IP from the DHCP, and it's possible to set it static. But, I can't configure where VPN connects to.

    Client@Home isn't connected to the Work-Network, it's connected to the Home@Network, as it's at home...

    I also cannot force the Client@Home to not use the IPSEC remote connection, as it is basically programmed, and limited to me clicking the Icon on the desktop which calls up the VPN connection, and then automatically starts a browser which opens the remote terminal server. I can't work around that.

    If the client is at work, it also has to build the same VPN tunnel, it won't work without the tunnel. It also builds a tunnel straight via internet.

     

    And why I want to re-route it is simply because I want to have it appear to the remote server as if the connection is coming from work, if at all possible.

  • A diagram would help - I just can't "see" what you're wanting to accomplish.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  

    Sorry for delay, real world work.

    I hope this helps.

    As you can notice:

    - all TCs currently connect directly to the Datacenter, building a IPSEC/IKE tunnel by themselves

    - when TCs at work connect to the Datacenter, they have an external IP 88.88.88.88

    - when my TC at home connects to the Datacenter, it's "showing" it 77.77.77.77

    What I want: TC at home should be visible to the Datacenter as it were coming from 88.88.88.88 (WAN IP at work)

     

    Is it achievable to make my TC at home connect it's IPSEC/IKE VPN through the Site2Site tunnel between Sophos at home and Sophos at work? (in essence, that is a tunnel in a tunnel)

  • I think there are two ways to accomplish this.  I think both are fairly simple...

    1. Add 99.99.99.99 to 'Local Networks' at work and to 'Remote Networks' at home.  If you're not using 'Automatic firewall rules', you will need to add it to your manual rules.
    2. In your home, make a Static Gateway Route: 99.99.99.99 via 88.88.88.88.  At work, make a firewall rule: '77.77.77.77 -> Any -> 99.99.99.99 : Allow'.

    NOTE (next day): In both cases, you will need an SNAT or a masq rule at work that changes the packet source from 77.77.77.77 to 88.88.88.88.

    Let us know if you try one or both and which you decided to go with.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I don't believe it, but I think it works. Finally - it was merely a small thing, actually what I wrote above. I didn't consider that the TC at home must first connect the VPN, and it's doing that to an external IP (over the S2S tunnel). So I had to allow that through the tunnel too. I was only allowing private networks, but didn't think about the public one.

    Anyway, the following setup:

    Sophos Home:

    Two Policy Routes:

    - to 99.99.99.99 via 10.10.10.254

    - to networks in the Datacenter via 10.10.10.254

    S2S IPsec Remote Gateways:

    - 99.99.99.99 and Datacenter networks

    Sophos at Work:

    SNAT for TC at home, Any/Any, translation to "Internal (Address)" (=10.10.10.254)

    S2S IPsec Local Networks: same as above.

     

    Only thing, I would like to make sure that it's working.

    How can I actually do that, without any information from Datacenter? (I don't even believe they can go as far as invest that on request)

  • Thanks. I think we posted at the same time, rofl ;-)

    The solution I wrote too is basically your 1st solution, I had to add the public IP, which I didn't at first consider.

    However, re-reading your suggestions, I think these two complement each other, because without adding of the appropriate networks in both Local Networks and Remote Networks, nothing was working.

    Also, it doesn't seem to work without SNAT at all.

  • Ah, yes - I'll need to add that to my post above - thanks!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA