Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 5257 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Remote Access VPN - Force specific traffic through VPN

DavidSain

I reviewed this

Force specific websites through VPN tunnel? 

This works for SSL VPN.  However adding a host IP under IPsec Remote Access does nothing.  Also cannot add an FQDN host under IPsec Remote Access under v20.

Is there any way to get this to work on an IPsec VPN or should I submit a feature request?



This thread was automatically locked due to age.
Parents
  • 0

    FQDN Host support is not available for IPsec Remote Access. Adding IP Host/Network in "Permitted Network Resources" is supported. But, the scx file has to be re-downloaded on the remote end. If you are using .pro file on the remote end, then the connection needs to be updated. In SSLVPN, only reconnection is needed

  • 0 in reply to Nikhil Bhandari

    The scenario is the customer has a hosted service that's only accessible from their office locations.  To give mobile users access, we need the traffic to first be routed through their IPsec VPN before egress to the internet.

    I added the IP to the Permitted Network Resources for IPsec Remote Access and downloaded a new SCX file.  Traffic still goes out the internet instead of IPsec VPN.  I configured the SSL VPN and that works just fine.

    Are you suggesting that this "should" work with IPsec VPN?

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • 0 in reply to DavidSain

    Yes, this should work with IPsec VPN. Do you have a split or full tunnel both in case of IPsec and SSLVPN ? You said the remote access users accessing the IP resources are mobile users. Which OS -- Android or iOS ?

  • 0 in reply to Nikhil Bhandari

    Split Tunnel.  Mobile, sorry I meant to be those that are mobile in the field with Windows computers.  Then last entry in the permitted resources is the IP address to the external host.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • 0 in reply to Nikhil Bhandari

    Split Tunnel.  Mobile, sorry I meant to be those that are mobile in the field with Windows computers.  Then last entry in the permitted resources is the IP address to the external host.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • 0 in reply to DavidSain

    This should have worked. In the "ipsec statusall" output from the firewall (you have to ssh to the firewall), when any remote user is connected, do you see your intended IP in child SA subnets ?

Reply Children
No Data
Unfiltered HTML