Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect VPN client not connecting to remote Site-to-Site server

Werner Smit

Good day,

Wonder if anyone can help me.

Have a site-to-site tunnel with a remote server. The remote server is connected through a site-to-site tunnel to a different company so I don't have control on the remote side network. 

Now I am trying to get my Sophos Connect VPN clients to also be able to connect to the remote server via the Sophos VPN.

The Connection to the remote server is working in the office and on standard Windows Remote access VPN but struggling to get the Sophos VPN client to route the traffic. 

Thank you in advance Slight smile

Please see my Config below: 

RemoteAccess_VPN:

Source Zone: VPN

Source Networks: VPN Pool (This is the IPs of the remote access VPN from Sophos)

Dest Zone: 

Dest Networks: Blocked out company networks but have left out the remote server which is MRI_NEW1 and on 10.89.x.x range and the remote access VPN range is 10.81.x.x should not be conflicting or make any difference since the remote server IP is a single /32 subnet IP

Remote SSL VPN Policy:

Policy members: Users in the groups are allowed to connect to the remote server

Permitted IPv4: MRI_NEW1 is included in the permitted IPs



This thread was automatically locked due to age.
  • 0

    Hello Werner,

    I think you will need a route back from that remote server to your clients. That server doesn't know about them. You could try to work around this with NAT, but we would need more info to help you with that.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to PhilippRusch

      Hi  

      I will look into routing the traffic back over the sophos remote vpn via NAT.


      Please see below how the internal network connects to the remote server:

      The MRI_Ent_NATed_Range_2 is on 172.31.x.x range this IP is the remote side IP setup for us to connect to and is being NAT translated to our 10.0.0.0 range so that our internal network can communicate with the 10.89.x.x remote server. Through the tunnel. Hope it make sense. 

      The remote Subnet is the 10.89.x.x range which is the remote server we are connecting to. 

      So from my first discussion I sent you the firewall rule I created for the remote VPN users uses to connect to the internal company network using the sophos VPN client. 

      Now I added the 10.89.x.x remote server to the Remote access VPN permitted IPs and the firewall rule thinking it will allow Sophos vpn clients to connect remotely the remote server but isn't working.

      Hope this information helps 

      This is the auto firewall rule created by the site-to-site tunnel and is working for the internal network. 

      • 0 in reply to Werner Smit

        I would do it the other way round: Let the remote server believe (through the means of NAT), the packets from the other network are coming from your central site.

        Mit freundlichem Gruß, best regards from Germany,

        Philipp Rusch

        New Vision GmbH, Germany
        Sophos Silver-Partner

        If a post solves your question please use the 'Verify Answer' button.

      • 0 in reply to PhilippRusch

        Hi  

        Could you perhaps specify what more information do you require? 

        • 0 in reply to Werner Smit

          Hello Werner,

          A simple network diagram would be helpful to understand your nets and the routing.

          Mit freundlichem Gruß, best regards from Germany,

          Philipp Rusch

          New Vision GmbH, Germany
          Sophos Silver-Partner

          If a post solves your question please use the 'Verify Answer' button.

      Unfiltered HTML