Remote Access VPN (SSL) over IPSec

Edit: I just did a traceroute and it seems that the ping is sent trough the SSL tunnel, but the XG does not send it trough the IPSec tunnel but the WAN interface.

Hello SIOD Support ,

Thanks for reaching out to Sophos Community. 

Could you try to follow steps as outlined on this document guide to enable traffic between the local network and the remote subnet to pass through the IPsec connection.: https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/HowToArticles/S2sVPNIPsecCreateIPsecRouteNAT/index.html#edit-the-reflexive-snat-rule

Regards,

Hi,

thank you for the help. I don't know if this article fits my case. For example, i think i can't create a general DNAT rule for the LAN port since not everything that comes this way from the remote network should be natted. But maybe i'm just misunderstanding this too. Can this article be used for a SSL VPN over IPSec connection? In the meantime, i tried to SNAT the VPN network to a single IP and an IP range from one of the IPSec local networks, which also didn't work.

To carry sslvpn ra traffic into the IPsec tunnel, 

on SFOS, remote access vpn-->sslvpn --> global settings --> ipv4 addresses  - use this n/w (call this as virtual ip pool n/w) as part of 'Local subnet' of IPsec tunnel and 'Remote subnet' of IPsec tunnel config on PFsense; also adjust firewall rules to allow the sslvpn virtual ip pool n/w in the firewall rules on SFOS and PFsense.

Hi all, same problem, i cannot access from ssl vpn to the the remote ipsec tunnel

Hi SOID,

It seems like you’re having trouble accessing a host on the IPSec remote site via your SSL VPN connection. You mentioned that you’ve already built some firewall rules, which allow access from your SSL network to the IPSec remote network on pfsense site, and also allowed the remote networks in VPN policy. You also checked the routes given by the VPN on your clients and they seem okay (gateway is the VPN Sophos gateway). However, when you try to ping a host on the remote site, you’re getting an answer from your ISP that the host cannot be reached. So it seems that, despite the client seems to have the correct route, it’s not sending the echo over the SSL tunnel.

one possible reason for this issue could be that the physical ports of the Sophos Firewall are allowed in the Permitted network resources (IPv4) section of VPN > SSL VPN (remote access). If allowed, the SSL VPN user would not access the internal network; instead, create a new IP Host/Network for SSL VPN user access.

Thanks and Regards,

Vaibhav Patil | Network Administrator

Hello, i just resolved the problem putting a SNAT in the IPSEC tunnel and everything is working, thanks for all the support.

Valerio