VPN over VPN, possibly with SNAT

Hello,

I want to do an IPSEC/IKE Client-Connection to a remote network, but over an existing Site-2-Site tunnel. And I only want to route this Client via Work-Network, not everything at home. For the remote network, it should appear as if the packets are coming from the work-network, although the client is in the home network.

It's like this:

Client@Home / Home-Network (192.168.1.0, Sophos 192.168.1.254) -> S2S -> Work-Network (10.10.10.0, Sophos 10.10.10.254) -> Remote-Network (public IP 193.10.1.1, non-manageable nor managed by me)

Client@Home is doing IPSEC/IKE VPN to the public IP of the Remote-Network.

So, what I'm doing:

I have a standard static route in place, saying: For connections to 193.10.1.1, use Gateway at work (10.10.10.254).

Now I'm thinking, what do I have to put into S2S networks, both local and remote. If anything at this point. All I want to is to establish a VPN-connection, not access any networks inside the tunnel - except the ones that are already set up, like the Home-Network and Work-Network, which are already in there obviously.

I also created the back-route for the Client, I set up a static route for Home-Networks to be the 192.168.1.254, though I don't think that's needed. At this point I am trying to connect the VPN from the Client with the Remote-Network over the Sophos at work. No-go.

I tried packet capture via CLI, monitoring the internal interface of the home Sophos, I see the packets, going from the client to the remote-network public IP, and then just the 2nd packet is already: publicIP sophos@home > client@homeIP: ICMP host "remote-publicIP" unreachable.

If I remove the routing via sophos@work, then VPN connects.

Please, am I missing something obvious?

Thank you.

  • Hallo,

    Both Hub and Spoke Site-to-Site VPNs and How to allow remote access users to reach another site via a Site-to-Site Tunnel apply the same ideas.  Does that give you the result you were looking for?

    Cheers - Bob

  • You said:

    • Client@Home is doing IPSEC/IKE VPN to the public IP of the Remote-Network.

    I don't see how this will work.   If it can make a tunnel-within-tunnel route at all, you are likely to have problems with MTU, latency, and debugging.

    I think what you want:

    • Client@Home is connected to Work-Network using a Client@Home VPN address.
    • Work-to-Remote tunnel allows certain work addresses to connect to certain remote addresses.
    • SNAT is used to map the Client@Home VPN Address to a (reserved) Work Address so that the Work-To-Remote tunnel will accept the packet.
    • If Client@Home is using Remote Access VPN, the SNAT rule can reference the user or group object instead of a fixed IP object, depending on your needs.

    No need for Client@Home to create a second VPN tunnel.

     

     

  • In reply to BAlfson:

    Bob,

    Hub and Spoke Site-to-Site VPNs 

    I saw that one, it didn't quite help me, as I don't have site 2 site between each site, rather only over first two, home and work, and I am connecting the thin-client from home via IPSEC/IKE to the remote gateway (public IP). My s2s seems fine, as I can well control what I access from home to work and vice versa.

    Would I need to allow the access to internet in the remote networks in the S2S setup?

    How to allow remote access users to reach another site via a Site-to-Site Tunnel 

    This looks very much same to me to the above example. Entering each others networks in the S2S settings, this time though using the RemoteSSL Pool.

  • In reply to DouglasFoster:

    I think what you want:

    • Client@Home is connected to Work-Network using a Client@Home VPN address.
    • Work-to-Remote tunnel allows certain work addresses to connect to certain remote addresses.
    • SNAT is used to map the Client@Home VPN Address to a (reserved) Work Address so that the Work-To-Remote tunnel will accept the packet.
    • If Client@Home is using Remote Access VPN, the SNAT rule can reference the user or group object instead of a fixed IP object, depending on your needs.

    No need for Client@Home to create a second VPN tunnel.

    The scope of what I can configure on the Client@Home is very limited.

    Client@Home obtains it's local IP from the DHCP, and it's possible to set it static. But, I can't configure where VPN connects to.

    Client@Home isn't connected to the Work-Network, it's connected to the Home@Network, as it's at home...

    I also cannot force the Client@Home to not use the IPSEC remote connection, as it is basically programmed, and limited to me clicking the Icon on the desktop which calls up the VPN connection, and then automatically starts a browser which opens the remote terminal server. I can't work around that.

    If the client is at work, it also has to build the same VPN tunnel, it won't work without the tunnel. It also builds a tunnel straight via internet.

     

    And why I want to re-route it is simply because I want to have it appear to the remote server as if the connection is coming from work, if at all possible.

  • In reply to Kosta88:

    A diagram would help - I just can't "see" what you're wanting to accomplish.

    Cheers - Bob