Remote Access VPN (SSL) over IPSec

Question

Hi all, 
 i have the following issue and hope that someone can give me a hint or two: 
 We're using a remote access connection (SSL VPN) to our Sophos XG. On the Sophos XG, we have an IPSec tunnel to another router (pfsense). Both work great. 
 Now, we're trying to access a host on the IPSec remote site via our SSL VPN connection. I already built some firewall rules, which allow access from our SSL network to the IPSec remote network on pfsense site, also i allowed the remote networks in VPN policy. I checked the routes given by the VPN on our clients and they seem ok (gateway is the VPN Sophos gateway). 
 However, it does not work and now we're a bit lost. When i try to ping a host on the remote site, i'm getting an answer from my ISP that the host cannot be reached. So it seems that, despite the client seems to have the correct route, it's not sending the echo over the SSL tunnel. Can someone give us a heads up what we missed or what has to be done to make this functioning? 
 Many thanks in advance!

Sreenivasulu Naidu · Accepted Answer

To carry sslvpn ra traffic into the IPsec tunnel, 
 on SFOS, remote access vpn-->sslvpn --> global settings --> ipv4 addresses - use this n/w (call this as virtual ip pool n/w) as part of 'Local subnet' of IPsec tunnel and 'Remote subnet' of IPsec tunnel config on PFsense; also adjust firewall rules to allow the sslvpn virtual ip pool n/w in the firewall rules on SFOS and PFsense.

Raphael Alganes · Answer

Hello SIOD Support , 
 Thanks for reaching out to Sophos Community. 
 Could you try to follow steps as outlined on this document guide to enable traffic between the local network and the remote subnet to pass through the IPsec connection.: https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/HowToArticles/S2sVPNIPsecCreateIPsecRouteNAT/index.html#edit-the-reflexive-snat-rule 
 Regards,

Vaibhav Patil · Answer

Hi SOID, 
 It seems like you&rsquo;re having trouble accessing a host on the IPSec remote site via your SSL VPN connection. You mentioned that you&rsquo;ve already built some firewall rules, which allow access from your SSL network to the IPSec remote network on pfsense site, and also allowed the remote networks in VPN policy. You also checked the routes given by the VPN on your clients and they seem okay (gateway is the VPN Sophos gateway). However, when you try to ping a host on the remote site, you&rsquo;re getting an answer from your ISP that the host cannot be reached. So it seems that, despite the client seems to have the correct route, it&rsquo;s not sending the echo over the SSL tunnel. 
 one possible reason for this issue could be that the physical ports of the Sophos Firewall are allowed in the Permitted network resources (IPv4) section of VPN > SSL VPN (remote access). If allowed, the SSL VPN user would not access the internal network; instead, create a new IP Host/Network for SSL VPN user access. 
 Thanks and Regards, 
 Vaibhav Patil | Network Administrator

Valerio Baroni · Answer

Hello, i just resolved the problem putting a SNAT in the IPSEC tunnel and everything is working, thanks for all the support. 
 Valerio

Remote Access VPN (SSL) over IPSec

Top Replies