All traffic of some IP's branch office through SSL VPN tunnel

Hi Sophos User731 

The link which you are referring is for IPSec VPN and you have configured SSL VPN tunnel, It would be great if you could provide more details on your network setup.

If you want to configure IPSec VPN, please refer to the article - https://community.sophos.com/kb/en-us/123140 and apply the settings which you have referred https://community.sophos.com/kb/en-us/123261

Hi.

It's a very simple configuration:

Home Office LAN:
192.168.58.0/23

Default rule for NAT + VPNSSL Rule

Branch Office LAN:
172.16.30.0/24

Default rule for NAT + VPNSSL Rule

Do you think it's possible use the vpn SSL tunnel or I need to switch ti IPSec?

TNX

EDIT: I delete the SSL VPN and I setup an IPSec VPN as you mentioned in you response.
Then I follow the second article for pass all traffic in VPN.

Strange thing happened: every web site I try from Branch Office Sophpos XG respond to me with capitive portal and refuse to connect...

Hi Sophos User731 

Please remove the "Match known user" option from VPN to WAN firewall rule an check.

Hi,

Just did.

Seems traffic don't pass-through at all.

This is rules on branch office, from top to bottom:

- Deny Rule [from LAN/rangeIP-> WAN/Any - Any Service]
- Default Rule [from LAN/Any-> Wan/Any - Any Service]
- Outbound IPSec [from LAN/LanNetwork-> VPN/RemoteNetwork - Any Service]
- InBound IPSec [from VPN/RemoteNetwork-> LAN/LanNetwork -Any Service]

This is the rules in Home Office, from top to bottom:

- Default Rule [from VPN LAN/Anyhost-> Wan/Anyhost - Any Service]
- InBoud IPSec [from VPN/RemoteNetwork-> LAN/LanNetwork -Any Service]
- OutBound IPSec [from LAN/LanNetwork-> VPN/RemoteNetwork - Any Service]
- IPsec Remote NAT [from VPN, LAN, Anyhost -> VPN, LAN, Anyhost  - Any Service] With Rewrite source address MASQ
- VPN for remote users [from VN, Remote SSL VPN, -> LAN, Any Host - Any Service] With Rewrite source address MASQ and Match known users

The tunnel is up and running.

Hi,

Just did.

Seems traffic don't pass-through at all.

This is rules on branch office, from top to bottom:

- Deny Rule [from LAN/rangeIP-> WAN/Any - Any Service]
- Default Rule [from LAN/Any-> Wan/Any - Any Service]
- Outbound IPSec [from LAN/LanNetwork-> VPN/RemoteNetwork - Any Service]
- InBound IPSec [from VPN/RemoteNetwork-> LAN/LanNetwork -Any Service]

This is the rules in Home Office, from top to bottom:

- Default Rule [from VPN LAN/Anyhost-> Wan/Anyhost - Any Service]
- InBoud IPSec [from VPN/RemoteNetwork-> LAN/LanNetwork -Any Service]
- OutBound IPSec [from LAN/LanNetwork-> VPN/RemoteNetwork - Any Service]
- IPsec Remote NAT [from VPN, LAN, Anyhost -> VPN, LAN, Anyhost  - Any Service] With Rewrite source address MASQ
- VPN for remote users [from VN, Remote SSL VPN, -> LAN, Any Host - Any Service] With Rewrite source address MASQ and Match known users

The tunnel is up and running.

Hi Sophos User371 

Please move LAN to VPN and VPN to LAN rules on top of the firewall rules and also create VPN to WAN firewall for remote users to access the Internet from the main firewall.

Keyur said:

Hi Sophos User371 

Please move LAN to VPN and VPN to LAN rules on top of the firewall rules and also create VPN to WAN firewall for remote users to access the Internet from the main firewall.

You re refer on 2 InBound and OutBound Rules?
I need to put on top on both sides?

Tnx...!

Hi Sophos User371 

Yes, in both the firewall, please move them to top, LAN to VPN and VPN to LAN.

I find a solution: problem was not in firewall rules but inside VPN tunnel itself: it was bounding only to local Lan's.
It needs to be set "any" on both sides as local subnet and remote subnet, inside IPSec tunnel...

Thanks...!!!

Hi Sophos User371 

We glad that issue got resolved. Please reach out to us for further assistance.