Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 37 subscribers
  • Views 1103 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Switching from SSL VPN to IPSec VPN - Lost ability to TightVNC into remote users

AllanD

We use TightVNC to remote into some users machines.  It's preconfigured through GPO with certain passwords and only allows access from our internal subnets.

We have started moving users from the SSL VPN to the newer Sophos Connect with a IPSec VPN.  We have a firewall rule that allows LAN - Internal Subnets -> VPN - VPN Subnet and another rule that allows VPN - VPN Subnet -> LAN - Internal Subnets with heartbeat.  This worked fine with the SSL VPN and we could use TightVNC to connect to the remote users using their VPN IP address.  However with the IPSec VPN we cannot connect to their machines at all.

We have disabled the firewall on the remote machines but that wasn't it (figured it wasn't since it worked before).  We have tried the log viewer on the XG but it doesn't show anything allowed or denied from the source or destination IP address.  Is the IP Sec VPN fall under a different zone or do I need to configure something else?  The new IPSec VPN users have no issues accessing network resources and everything else works.



This thread was automatically locked due to age.
  • 0

    Hello AllanD,

    Thank you for contacting the Sophos Community.

    You could do a tcpdump and see where the traffic goes when you try to access the computer of the user.

    Also, make sure the IPs of the Sophos Connect aren’t overlapping with another subnet on your XG.

    If you’re also connected to the Sophos Connect, add the IP range of the Sophos Connect to the Permitted Network resources of Sophos Connect.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    > make sure the IPs of the Sophos Connect aren’t overlapping with another subnet on your XG

    The IPs do not overlap.  We are using 10.1.10.* for our internal users,  10.1.11.100 - 150 for the IPSec VPN, 10.1.11.151 - 200 for the SSL VPN. 

    > If you’re also connected to the Sophos Connect, add the IP range of the Sophos Connect to the Permitted Network resources of Sophos Connect.

    Not sure what you mean by this.  Under IPSec (Remote Access) it's set as default gateway.

    We setup a "VPN Subnet" as 10.1.11.0/24 and thas whats being used by our firewall rules.  So as I mentioned a SSL VPN user connected and given a 10.1.11.157 address we have no issues with but a IPSec VPN user given 10.1.11.104 we have the issue with.  We have not modified any firewall rules since we are allowing the entire 10.1.11.0/24 subnet both ways.

  • +1 in reply to AllanD

    Hello AllanD,

    Thank you for the follow-up.

    Please double-check under Show VPN settings, the subnet mask isn’t set to /24. Since this is the default subnet for the SSL VPN.

    So my suggestion about adding the IPs of the Connect Client to allowed Networks of Connect Client was if you were connecting from Sophos Connect, if you are connecting from the LAN then you don't need to to this. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    You were correct.  I changed the SSL VPN subnet to /28 and the range to 10.1.11.209 - 10.1.11.222.  The IPSec VPN is still 10.1.11.100 - 10.1.11.200.  That did indeed fix the issue.  Thank-you!

    Now can you explain why?  Does the firewall check the SSL VPN "group" first?

  • 0 in reply to AllanD

    Hello Allan,

    I am happy to hear the issue was resolved.

    It’s because the SSL VPN interface tun0 takes precedence over the IPsec0 interface (for the Sophos Connect) that has a different subnet, you can see this when doing an ifconfig. Tun0 will have the SSL VPN range you configured.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML