I am using Sophos XG v18.5 MR 4. This is my ACL matrix:
I have been following either one of these instructions to create a working remote-access SSL VPN:
_ Configure remote access SSL VPN with Sophos Connect client: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html_ Sophos Firewall: Configure IPsec and SSL VPN Remote Access: https://www.youtube.com/watch?v=wXUmWX1kDx4 _ Sophos XG Firewall (v18): How to configure SSL VPN remote access: https://www.youtube.com/watch?v=rFMD2Kb7dWA
I use OpenVPN Community Edition v2.4.12 to import and activate the .ovpn profile ( https://openvpn.net/community-downloads/ ). The remote connection has been established successfully, however I can not connect to any of the LAN resources as well as the firewall's admin page itself.
What is wrong with my settings, and (or) VPN client ? Do I have to use the Sophos client instead of OpenVPN client in order to connect ?
Thank you very much in advance.
Hello J Thai,Thank you for the update. 1. Do I have to add all the LAN subnets that I want to grant access for the SSL VPN into the Permitted network resources IPv4 beside the Local Subnet, or just creating…
Hi J Thai,
Thank you for sending a message to Sophos Community.
Since the VPN connection is already established. Have you created an FW Rule "VPN to LAN "rule to allow access to local resources?
Have you allowed it on the Permitted resources?
Also, have you checked the logs and what does it say when accessing the local resource?
For more reference, kindly follow the KB guide for trouble shooting:support.sophos.com/.../KB-000036884
Erick JanCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Thanks for you reply. Here are my SSL VPN's permitted resources and firewall rule:
Just a few more questions I would like to ask you. Sorry for being a noob:
Thank you very much again.
Hello J Thai,Thank you for the update. 1. Do I have to add all the LAN subnets that I want to grant access for the SSL VPN into the Permitted network resources IPv4 beside the Local Subnet, or just creating a VPN_to_LAN firewall rule alone is enough ?> Yes, you need to add all the LAN subnets that you want to access it over SSL VPN subnet in the permitted network resources IPv4.And Yes if you want to access LAN subnets over VPN then you need a VPN to LAN. And if you want to VPN subnets to be accessible over LAN then you need LAN to VPN rule.2. What purpose does the firewall rule I have created in the screenshot above have ? If another VPN_to_LAN rule is to be created, is a NAT rule for it also necessary ?> Your rule is very confusing as because of the name you have given especially to the source and destination network.You can refer the best practices guide below:-> Configure remote access SSL VPN with Sophos Connect client - https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html> Sophos Firewall: Configure IPsec and SSL VPN Remote Access: https://www.youtube.com/watch?v=wXUmWX1kDx43. In addition, I would also want to have Internet connectivity under the Sophos XG host's WAN IP when I am connecting via this VPN interface. How will the VPN_to_WAN rule look like, and is a NAT rule for it also needed ?
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
As stated, just follow the guide given, indicate all the desired Networks to be allowed both on FW and permitted network resources, and create a specific FW rule (source/Destination, VPN-LAN/LAN-VPN, etc.) for security.
Thank you Vivek Jagad Erick Jan very much for your enthusiasm. I will be following your advices and trying them out soon. Can the VPN still work with LAN & WAN fine even if I leave its DNS, WINS & Domain Name fields blank?
Yup J Thai it will !! Please vote up our answers if it were useful !!
Thank you so much again buddy. I have followed your & Erick Jan instructions and it finally works.
It works too well that now regardless whether I am in local or foreign networks, the VPN will work anyway. In case of me wanting the VPN to only work when I am on foreign networks, which should I do ?
Thank you buddies. You guys have made my day.
For allowing only foreign networks, you need to edit your Permitted network resources and filter them on VPN>SSL VPN.
So that only listed will be allowed to connect on the VPN. In your case, you can edit the SSL_VPN_Remote_Access_Local or just create a new network and add it to your FW Rule and Permitted network resources(IPv4).