This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN used in a VPN gateway, trouble accessing remote network from other networks going through the gateway. Any remedy?

A remote vendor used his SSL VPN connection (login and OVPN file) in a VPN gateway. His goal is for various machines on multiple networks on his end to access my network through this VPN gateway.

The vendor is able to reach my network from the gateway, however other devices on other networks (different subnets) going through the vpn gateway cannot.

Is this a limitation of the SSL tunnel, or a bad config in the remote vendor's setup?

I did not realize he wanted to do this kind of setup. I suspect the proper fix is to set up a site to site vpn.



This thread was automatically locked due to age.
  • Hi David,

    Thank you for reaching out to Sophos Community.

    Can we verify if the " different subnets" are already included on the SSL VPN Permitted network resources?

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • The different subnets the vendor is wanting to use are on the remote network, not my network. I allow "any" remote subnets in the SSL policy as well as the firewall rule governing VPN to LAN because people needing to use the SSL tunnel can be anywhere.

  • Hello David,

    Adding to what Erick mentioned, I am unclear about your setup or the VPN Gateway used.

    However, suppose the vendor can reach out to your network from the VPN gateway. In that case, you could compare if you see traffic arriving to your network (passing the Firewall) from the other subnets by doing a tcpdump in the Sophos Firewall; if you see traffic arriving to the Firewall but being dropped by the Sophos Firewall, then you can troubleshoot further, but if you don't see the traffic arriving most likely your vendor is incorrectly config their end.

    I have never heard of this type of setup. I believe a site-to-site VPN would be a better approach if the vendor has different subnets and they want to access subnets on your Network.

    Also feel free to share a draft of how this setup is currently done if what I mentioned above doesn't fit the current setup.

    Regards,  


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks for the reply. This is basically what's going on. See attached image.

    Vendor needs access to a server on my network, they have a VPN gateway, they have multiple subnets that connect thru the gateway.

    They entered the SSL .ovpn info into the gateway and - from the gateway - can ping the server on my network. The other subnets cannot.

    Looking at the SSL tunnel config and the firewall rule I don't see where I am restricting anything on the remote end.

    I'm figuring I need to just set up a site-to-site but on initial contact by the customer I didn't know they had this kind of need.

    My goal here is to either figure out what the issue is on my end or their end or that this is a misapplication of a SSL vpn.

  • Hello David,

    Thank you for the follow-up.

    This should be an IPsec tunnel (site-to-site VPN) , not an SSL VPN tunnel.

    If you want to show your vendor that the issue is on their side, I would recommend you to do a tcpdump or GUI Packet Capture, as mentioned in my previous comment; if you don't see traffic arriving from the other subnets, the issue is on their side, if you see it arriving to the Sophos Firewall, then you can see either if the Firewall might be dropping the packets, routing incorrectly or your devices might be blocking the traffic for those specific subnets.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.