IPSec VPN access

Question

I'm using the Home Firewall 20.0. I configured IPSec VPN using the Sophos instructional video. I used the default profile. 
 I'm on the road, and trying to connect to devices on my home LAN, via the VPN. Let's call the LAN subnet X.X.X.0/24. The Sophos firewall is on this subnet with IP address X.X.X.1. 
 The VPN connects with no problem. While on the road, I can connect to the Sophos via the VPN, and I can ping X.X.X.1, the Sophos address on the home local LAN. But I cannot ping any other devices on that subnet. I have a firewall rule allowing all traffic from the VPN zone and the VPN IP range (the addresses leased out to the VPN clients) to access that subnet. 
 Why does the VPN allow remote clients to access the Sophos firewall, but not other devices on the X.X.X.0 subnet? Is there some extra step required to allow the VPN clients to pass through the firewall and connect to devices in the LAN zone? 
 Follow up: There seems to be a bug with the "Permitted Network Resources" field. 
 1. When I select a network item (X.X.X.0/24) I get the results mentioned above in this post. 2. When I select an individual IP address (X.X.X.99), it works, and I can access that single host. 3. When I try to select an IP range, it doesn't let me! 
 This is very bad. If I want to have access to my entire subnet, which has 200 hosts, I have to add each individual host, one at a time!

Sreenivasulu Naidu · Answer

EastCoastUser , ip range and ip list - though it is configurable from IPSec RA page, we don't allow it to be part of Permitted network resources of IPsec RA; only ip or subnet configured will be listed; I guess you are using split tunnel ? What is the type of device that you are using as ipsec client? is it mobile phone? 
 Can you paste the output of 'ipsec statusall' cli output? you should have an SA listed as below for your permitted subnet (x.x.x.0/24) to virtual ip assigned to your mobile. If you don't have an SA like this, there is no path to carry traffic from the mobile to LAN subnet. 
 
 XGS2300_RL01_SFOS 21.0.0 EAP0-Build2794 HA-Primary# ipsec statusall | grep IPSEC IPSECRA-1: 66.198.16.135...%any IKEv1, dpddelay=60s IPSECRA-1: local: [66.198.16.135] uses pre-shared key authentication IPSECRA-1: remote: uses pre-shared key authentication IPSECRA-1: remote: uses XAuth authentication: access_server IPSECRA-1: child: 172.16.2.0/24 === 0.0.0.0/0 TUNNEL, dpdaction=none IPSECRA-1[2881]: ESTABLISHED 18 seconds ago, 66.198.16.135[66.198.16.135]...115.99.117.66[192.168.1.4] IPSECRA-1[2881]: Remote XAuth identity: user1 IPSECRA-1[2881]: IKEv1 SPIs: 97ff496db8c6f8f6_i e8f43156371478f5_r*, pre-shared key reauthentication in 4 hours IPSECRA-1[2881]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 IPSECRA-1{5371}: INSTALLED, TUNNEL, reqid 10, ESP in UDP SPIs: c224c7ab_i c0db9892_o IPSECRA-1{5371}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 49 minutes IPSECRA-1{5371}: x.x.x.0/24 === 25.1.1.1/32 
 
 If the SA is listed for x.x.x.0/24, if the traffic fails, send traffic (can initiate ping from ipsec RA device to one of the available ip of x.x.x0/24), capture traffic on ipsec0 interface? on advanced shell cli use this commant - tcpdump -ni ipsec0; if the traffic is seen on ipsec0 interface, see if this is routed to LAN port of SFOS.

PhilippRusch · Answer

Hello EastCoastUser, 
 of course you can use a network item with the same network and same scope of one the other interfaces at your firewall as "permitted network resources". I always do configure this like that. 
 The must be something else in your configuration causing this behaviour.

IPSec VPN access

Top Replies