Unable to connect vpn from lan zone

Hi Joey Hoi 

Is there any specific requirement to establish the VPN connection from LAN zone, VPN is meant for remote connectivity.

LAN to VPN firewall rule will come into the picture when there are a VPN connection and traffic is initiated from LAN to sent via VPN tunnel, not used to connect VPN.

Hi Keyur,

Thanks for the reply. Yes there is specific requirement to establish vpn from lan zone, we put in place some restrictions in the lan zone, only certain users with vpn accounts will be able to login and access according to the rules in place for the vpn users.

I think you may suggest creating hosts for these users and implement further firewall rules, this is a way but it is not as good as having the user login via vpn because the host device may change.

We used to have a utm firewall that does not need any special configurations in place for users to login vpn from lan zone.

Can you let me know if this is a non-capability of the XG firewall? (Establish vpn from lan zone)

I will find a work around if it is, instead of spending more time trying to look for configurations to make it work.

Thanks.

Hi Joey Hoi 

Sorry for more questions but it would help me to assist you better, if the users are already in the LAN zone of the firewall, they can easily access the LAN resources as per the configuration, VPN is used when the users want to access resources from a remote location. If you want to restrict LAN resource access for VPN, you can configure SSL VPN and define separate policies as per the user requirement.

Hi Keyur,

Certain lan resources are restricted. We would like only privileged users with vpn accounts to access these restricted lan resources. We have dhcp in the lan zone so we would like to track the access by means of vpn connections.

We currently do not have ssl vpn setup due to users already setup l2tp connections inherited from the old utm firewall.

Our use of vpn is slightly different to yours. In our case, vpn is used when the users want to access (selected) resources from a remote location (and local area connection).

Perhaps you can answer directly to this question? The XG firewall cannot support l2tp and Sophos vpn connection established from the lan zone? Once you have given me a clear answer on this, we can discuss together what are the alternatives which are suitable for our use.

Thanks.

Hi Keyur,

Certain lan resources are restricted. We would like only privileged users with vpn accounts to access these restricted lan resources. We have dhcp in the lan zone so we would like to track the access by means of vpn connections.

We currently do not have ssl vpn setup due to users already setup l2tp connections inherited from the old utm firewall.

Our use of vpn is slightly different to yours. In our case, vpn is used when the users want to access (selected) resources from a remote location (and local area connection).

Perhaps you can answer directly to this question? The XG firewall cannot support l2tp and Sophos vpn connection established from the lan zone? Once you have given me a clear answer on this, we can discuss together what are the alternatives which are suitable for our use.

Thanks.

Hi Joey Hoi 

If the user tries to access any LAN resources then the traffic for that request will go via internal LAN switch and the firewall will not be able to control internal traffic as it is a gateway device.

Hi Keyur,

Thanks for the reply, it is good to know SSL VPN is able to connect from the lan zone, would you also check this for L2TP and Sophos Connect Client?

By the way, I have read another thread with a similar issue as described. Maybe you can verify this?

https://community.sophos.com/products/xg-firewall/f/vpn/119193/sophos-connect-on-wifi#pi2151filter=all&pi2151scroll=false

Once it is confirmed that L2TP and Sophos connect client cannot establish connection from lan zone, I will look for alternatives to meet our objectives.

Thanks.

It depends and should actually work with Sophos Connect. 

The Client will attempt to connect to your WANIP/FQDN. This should be likely be possible even in LAN. 

If you have a FQDN, you need to verify, this FQDN in Sophos Connect is connecting to the WAN IP of XG. IPsec is listing on the WAN IP of XG. 

I think you are trying to reinvent Network Access Control (NAC) here.

Hi Toni,

Thanks for the suggestion, I will give it a try for the Sophos connect.

For l2tp, I tried it before and it was not working as expected.

Thanks.