NordVPN and Sophos Site-To-Site IPSEC VPN.

Vivek:

I believe your answer sets up my question.  My PC has ExpressVPN installed and I am connected to my local 192.168.bla.bla network.  ExpressVPN allows me access the internet without our cable provider tracking and logging my activity and corporate traffic.

Our Sophos XG125 is configured on our network as the network's gateway.  The firewall has a site-to-site VPN configured via "Site-to-site VPN" configuration option using an IP host configuration to our corporate servers networks at 10.bla.bla.bla.  We aren't firewall engineers but figured out how to get the firewall installed and configured. We hired out for the site-to-site vpn configuration.

One of the people in our office downloaded and installed NordVPN. This person could not access our corporate resources via 10.bla.bla.bla, however, I can with my PC using ExpressVPN.  I downloaded and installed NordVPN and then couldn't access our corporate resources at 10.bla.bla.bla.  When I quit NordVPN then launched ExpressVPN I was able to access our corporate resources at 10.bla.bla.bla.

We tried this experiment with several VPN products for PCs, including ProtonVPN.  We contacted their support to find out why their product cannot allow a PC in our network to connect to our corporate resources at 10.bla.bla.bla.  They could not answer the question except to say two VPNs cannot run at the same time.  ExpressVPN doesn't have this problem so we have settled on ExpressVPN for our individual PC use (and our phones too).

My questions is why?  Since the VPN services we are using on our PC can't answer the question we though you could.  Is it some configuration on the Sophos that can be changed?  Is this a known issue for some VPN services (e.g. NordVPN, ProtonVPN, etc) but not for ExpressVPN?

Thanks,

Nope no change is required, although your site-to-site VPN is it a split tunnel [only allowing the local resources to be accessible] or is it configured as full tunnel [all the traffic including the internet routes through the Firewall's WAN IP]

Nope no change is required, although your site-to-site VPN is it a split tunnel [only allowing the local resources to be accessible] or is it configured as full tunnel [all the traffic including the internet routes through the Firewall's WAN IP]

I'm not sure how to answer this.  The question assumes a lot more knowledge of firewalls and routers than we have here.  We've tried to be a simple as possible because we're not running a large corporation.  We use the LAN port for the internal network and the WAN port to access the internet (two interfaces). Our FW Rule for Traffic to WAN is any internal can get out.  We have a couple of local servers that we allow access to but have rules for the three services we allow in (else everything else is blocked).  The s-t-s IPSEC VPN is set to Connection type: Site-to-site, Gateway type: Respond only, default encryption with preshared key and the local gateway is our external IP address and the remote gateway is the IP address given to us by our data center (Local & Remote ID type is Select local (or remote) ID. Our Local subnet: Local subnet and our Remote subnet: the three networks defined by three different IP hosts entries.  There are no tunnels defined in our network configuration.  I hope this makes sense.  Thanks,

Hello Bill,

The problem is that NordVPN tunnels all the traffic. 

The only thing I think might work for you, is to try split tunneling within the NordVPN settings, and set only specific APPs you want NordVPN to tunnel for example Chrome, other than that you might want to reach out to NordVPN for a way to tell their VPN to split the tunnel base into subnets.

Regards,

Thank you very much, Emmanuel.  This gives me some ideas.  ExpressVPN works perfectly for this but the others don't.  The others are less expensive (most) and work better with streaming services, but...YMMV.  :-)