Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSec VPN access

I'm using the Home Firewall 20.0. I configured IPSec VPN using the Sophos instructional video. I used the default profile.

I'm on the road, and trying to connect to devices on my home LAN, via the VPN. Let's call the LAN subnet X.X.X.0/24. The Sophos firewall is on this subnet with IP address X.X.X.1. 

The VPN connects with no problem. While on the road, I can connect to the Sophos via the VPN, and I can ping X.X.X.1, the Sophos address on the home local LAN. But I cannot ping any other devices on that subnet. I have a firewall rule allowing all traffic from the VPN zone and the VPN IP range (the addresses leased out to the VPN clients) to access that subnet.

Why does the VPN allow remote clients to access the Sophos firewall, but not other devices on the X.X.X.0 subnet? Is there some extra step required to allow the VPN clients to pass through the firewall and connect to devices in the LAN zone?

Follow up: There seems to be a bug with the "Permitted Network Resources" field.

1. When I select a network item (X.X.X.0/24) I get the results mentioned above in this post.
2. When I select an individual IP address (X.X.X.99), it works, and I can access that single host.
3. When I try to select an IP range, it doesn't let me!

This is very bad. If I want to have access to my entire subnet, which has 200 hosts, I have to add each individual host, one at a time!



Edited TAGs
[edited by: Erick Jan at 12:42 AM (GMT -7) on 24 Apr 2024]
Parents Reply Children
  • Hi Erick, I was able to solve the problem by configuring the setting to X.0.0.0/8 and specifying the entire Class A network.

    Another reply mentioned that IP list and range are not supported for this setting. Is there any reason why?


    Also, why not make this field optional? If I connect into my network via the VPN, I want to access ALL devices behind the firewall, and not have to specify which devices. Perhaps have an ALL option, or at least allow entire zones, without having to specify any IP addresses or networks? I tried using 0.0.0.0/0, but it didn't accept it. It would be nice to just say, "Let me access everything" or "Let me access the LAN zone."