Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSec VPN access

I'm using the Home Firewall 20.0. I configured IPSec VPN using the Sophos instructional video. I used the default profile.

I'm on the road, and trying to connect to devices on my home LAN, via the VPN. Let's call the LAN subnet X.X.X.0/24. The Sophos firewall is on this subnet with IP address X.X.X.1. 

The VPN connects with no problem. While on the road, I can connect to the Sophos via the VPN, and I can ping X.X.X.1, the Sophos address on the home local LAN. But I cannot ping any other devices on that subnet. I have a firewall rule allowing all traffic from the VPN zone and the VPN IP range (the addresses leased out to the VPN clients) to access that subnet.

Why does the VPN allow remote clients to access the Sophos firewall, but not other devices on the X.X.X.0 subnet? Is there some extra step required to allow the VPN clients to pass through the firewall and connect to devices in the LAN zone?

Follow up: There seems to be a bug with the "Permitted Network Resources" field.

1. When I select a network item (X.X.X.0/24) I get the results mentioned above in this post.
2. When I select an individual IP address (X.X.X.99), it works, and I can access that single host.
3. When I try to select an IP range, it doesn't let me!

This is very bad. If I want to have access to my entire subnet, which has 200 hosts, I have to add each individual host, one at a time!



Edited TAGs
[edited by: Erick Jan at 12:42 AM (GMT -7) on 24 Apr 2024]
Parents
  • Hi EastCoastUser,

    Thank you for reaching out to Sophos Community.

    Kindly try to check for Local ACL restriction and do a packet capture/tcpdump for individual IP and network range to compare the traffic and the policy rule to verify the configuration.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick, I was able to solve the problem by configuring the setting to X.0.0.0/8 and specifying the entire Class A network.

    Another reply mentioned that IP list and range are not supported for this setting. Is there any reason why?


    Also, why not make this field optional? If I connect into my network via the VPN, I want to access ALL devices behind the firewall, and not have to specify which devices. Perhaps have an ALL option, or at least allow entire zones, without having to specify any IP addresses or networks? I tried using 0.0.0.0/0, but it didn't accept it. It would be nice to just say, "Let me access everything" or "Let me access the LAN zone."

Reply
  • Hi Erick, I was able to solve the problem by configuring the setting to X.0.0.0/8 and specifying the entire Class A network.

    Another reply mentioned that IP list and range are not supported for this setting. Is there any reason why?


    Also, why not make this field optional? If I connect into my network via the VPN, I want to access ALL devices behind the firewall, and not have to specify which devices. Perhaps have an ALL option, or at least allow entire zones, without having to specify any IP addresses or networks? I tried using 0.0.0.0/0, but it didn't accept it. It would be nice to just say, "Let me access everything" or "Let me access the LAN zone."

Children
No Data