Sophos Connect VPN - Accessing Site to Site resources as a remote user

Hope someone can advise on this,

 

I have an XG FW and have set up the sophos connect client VPN which seems to work perfectly to allow remote users access to the network, however, i have resouces on another site that can be accessed from my main site but not by remote users using sophos connect. how can I allow remote SC users to access this as if they are on the network?

 

Main site 10.0.0.0/22 ,  branch ipsec site to site 10.1.0.0/22, Cloud hosted subnet connected via ipsec (where we have an application hosted 172.20.0.0/24 (users on the main site and branch site can both access network shares on one another and also the cloud hosted site) my users access the main site (10.0.0.0/22 via SC but are ONLY able to access resources on the 10.0.0.0/22 subnet - i have tinkered with rules to no avail (and noticed in SSL VPN theres a "remote networks" option which i think i need to locate an equivalent of for SC?) 

Any advice here would be massively appreciated.

  • Hi  

    As per my understanding, your requirement is to access the remote location resources through Sophos connect client user and the Remote site is connected with the Main site via Site to Site VPN.

    Sophos Connect Client >> Main Site >> IPsec Tunnel >> Remote Site resources.

    You may try below configuration steps, it may help.

    1. Please add the IP address of the Sophos Connect client in the Local Subnet of the Main site IPsec VPN configuration and in the Remote Subnet of the Remote Site IPsec VPN configuration

    2. Create a VPN to VPN zone firewall rule and verify, if you are able to access 

  • In reply to Keyur:

    Hi, 

     

    Thank you for your response, I don't see any "Main site" within Sophos connect? or any IPSec policies called "Main Site"

     

    Can you advise where i should be looking? (Running XG 17.5)

     

    Many thanks

    Ben 

     

  • In reply to Benjamin Cox:

    Hi  

    There is no such thing called "Main Site".

    Just refer to "Main site" as your primary location or Head Office where the Sophos Connect Clients user is connecting to the Sophos XG firewall.

  • In reply to Keyur:

    Sorry i'm not really sure what you mean, Where do I refer to it? 

     

    The initial instructions made me think I need to look in the menu structure for Sophos Connect, Where in sophos connect do I refer to a site? the options for sophos connect are very limited and i've looked in IPsec policies and had a play with FW rules to no avail.

     

    Do you happen to have any screenshots at all?

     

    Many thanks for your help so far :) 

  • In reply to Benjamin Cox:

    Hi  

    As per my understanding below is the scenario.

    You have three sites.

    Main site 10.0.0.0/22

    Branch site 10.1.0.0/22

    Cloud site 172.20.0.0/24

    Sophos Connect Client users connect to "Main site 10.0.0.0/22" firewall.

    Now you want that your Sophos Connect Client users should be able to access Branch Site 10.1.0.0/22 as well.

    Please correct me if anything is missing.

  • In reply to Keyur:

    Yes that's exactly how it's set up,

     

    When connected the connected users (Via sophos connect) is able to access resources on the 10.0.0.0/22 network but we'd also like them to have access to the other networks too. Ive set up an L2TP VPN profile and users that can connect to that are able to access all resources but I prefer the concept of the SC client as its easier to manage users.

     

    Many thanks

     

  • In reply to Benjamin Cox:

    Hi  

    Thank you for confirming the details.

    Now, please follow below given steps to access Branch site 10.1.0.0/22.

    1. VPN to VPN firewall rule should be configured at Main site 10.0.0.0/22 Sophos Firewall XG.

    2. The IP lease range of Sophos Connect Client configuration(XG firewall) should be added in the IPsec configuration(XG Firewall) "Local Subnet" and in the "Remote Subnet" of the IPsec tunnel configuration (XG Firewall) of Branch Site.

    3. Re-establish the tunnel and verify if the Sophos Connect User is able to access the Branch Site network. 

  • In reply to Keyur:

    Hello Benjamin,

     

    Did you get it working with the last suggestion? Please let us know.

     

    Regards,
    Ramesh