Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPsec Remote Access VPN - Force specific traffic through VPN

I reviewed this

Force specific websites through VPN tunnel? 

This works for SSL VPN.  However adding a host IP under IPsec Remote Access does nothing.  Also cannot add an FQDN host under IPsec Remote Access under v20.

Is there any way to get this to work on an IPsec VPN or should I submit a feature request?



Edited TAGs
[edited by: Erick Jan at 4:23 AM (GMT -7) on 15 Apr 2024]
  • You have restarted the VPN connection...?
    Please try a traceroute to your destination with and without VPN-Connection.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • FQDN Host support is not available for IPsec Remote Access. Adding IP Host/Network in "Permitted Network Resources" is supported. But, the scx file has to be re-downloaded on the remote end. If you are using .pro file on the remote end, then the connection needs to be updated. In SSLVPN, only reconnection is needed

  • I downloaded a new SCX and OVPN files after making the change. For IPsec VPN, traceroute still goes out the internet.  By using SSL VPN, it goes through the tunnel.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • The scenario is the customer has a hosted service that's only accessible from their office locations.  To give mobile users access, we need the traffic to first be routed through their IPsec VPN before egress to the internet.

    I added the IP to the Permitted Network Resources for IPsec Remote Access and downloaded a new SCX file.  Traffic still goes out the internet instead of IPsec VPN.  I configured the SSL VPN and that works just fine.

    Are you suggesting that this "should" work with IPsec VPN?

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Yes, this should work with IPsec VPN. Do you have a split or full tunnel both in case of IPsec and SSLVPN ? You said the remote access users accessing the IP resources are mobile users. Which OS -- Android or iOS ?

  • Split Tunnel.  Mobile, sorry I meant to be those that are mobile in the field with Windows computers.  Then last entry in the permitted resources is the IP address to the external host.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Split Tunnel.  Mobile, sorry I meant to be those that are mobile in the field with Windows computers.  Then last entry in the permitted resources is the IP address to the external host.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • This should have worked. In the "ipsec statusall" output from the firewall (you have to ssh to the firewall), when any remote user is connected, do you see your intended IP in child SA subnets ?