Sophos SSL VPN XGS116

Hello Shoug,

Thanks for reaching out to Sophos Community.

Could you share network settings of the client/machines that can't connect when SF is not their GW? Also could you share your SSL VPN settings? 

May you also share results of traceroute from the clients going to internal network and kindly enable logging of firewall traffic for that Firewall rule and check if there's any deny messages. 

Regards,

Hi Rapheal,

Thanks for your reply..

Please check these attached screenshots. when I change the GS to the same as the SF clients can access it.. otherwise, they cannot. 

Hello Shoug, 

Thanks for sharing these details. From what I understand, Only those whose Default gateway on Local subnet (172.16.100.0/21) is Sophos Firewall are able to establish connection? 

-What is the Firewall IP (Default Gateway), What are the other DG IP on the local subnet? 

The reason behind why they can connect back when SF is their DG is, SF knows the route back to SSL VPN network when you set another DG/router that does not know or do not have specific policy to connect to the SSL VPN network, traffic will fail. If you opt to go along the path where SF is not the DG, the router/DG must have a route to 10.81.234.0/24 network --> through the Sophos Firewall then SF --> SSL VPN Network. 

If you do not have any complex reason or setup, I would suggest changing the LAN network DG to Sophos Firewall IP. 

Kindly let me if my understanding on your setup is correct. Hope this helps and thank you for choosing Sophos. 

Regards,

You probably shouldnt listen to me (im just passing through trying to work out other things.....)

But I'd be running "route print" in a command prompt on the client and checking that your routes are correctly configured to route to the other device via the vpn connection.

Im GUESSING there may be issues if you have turned off "use as default gateway"?
Is the other subnet added to the permitted network resources?

This would be in the actual connection settings (NOT the SSL VPN global settings)

Hi Raphael,

Thanks for the reply. The other DGs that we have are also Sphos FW.. The thing here is that there are a lost of devices that we should back and change to the current SSLVPN FW as their DG,, It will be better if I can solve this to connect even if the device DG is not like thw SF that has the SSL VPN. 

The current SF that has the VPN 100.244 we have other SF with differing IPs (100.245, 100.240, and Sophos UTM 102).208

Thanks Martin..

I have turned off the "use as default gateway " do u think that I should keep it on?

I have added our local subnet as permitted resources.

It was said in another answer above, but check your routes.

Every "other" gateway should have a route to the 10.81.234.0/24 network on the SSL Sophos firewall. Also those other firewalls should not have 10.81.234.0 configured locally otherwise traffic will never be able to get from this network to the firewall managing the SSL VPN.

SSL-clients in their turn will need the subnets for the other networks in the tunnel (or tunnel all traffic (use as default gateway option)).

Also the Sophos firewall with the SSL should have routes to the other firewalls subnets.

The "use as default gateway" only says that clients main traffic goes through the sophos too.

Means traffic like internet will be routed over vpn, usally you want this to keep on since you dont want have your clients a open connection to a unkown/private network and your company network at same time.

Thanks..

Thanks..