XGS87 (SFOS 20.0.2 MR-2-Build378) VPN Routing Problem

Question

Hello, 
 
 we have a problem which with the routing over VPN. 
 
 A user is connected to SSL VPN with the XGS. The XGS has a site to site IPsec VPN connection to resources in the cloud. A request from the user's client using SSL VPN for resources in the cloud network is not possible. I can access the resources in the cloud from the LAN. When I do a traceout from the client, I see how the SSL VPN gateway is addressed, but instead of going via the site to site VPN route, the packet is sent over the Internet. If I do a traceroute to the cloud resource in the XGS, it also goes over the Internet. When I request the same resource via route resolution, the XGS shows me a direct connection. But I can't create a route because I can't select an interface for the Site to Site VPn.

Help Me · Accepted Answer

Hello Thank You after a while we found a few missing options on the OPNSense we had to activate Tunnleisolation and we had to make a few changes at the firewall but now every hing is running. 
 
 Thank You all for the help.

LuCar Toni · Answer

Likely you need something like a DNAT Rule or you can adjust the IPsec tunnel. 
 The ipsec tunnel only routes the traffic matching the local and the remote network (in your case LAN and the Cloud resource). 
 You can adjust both sides of the tunnel and add the SSLVPN tunnel to it. This will work. 
 If you cannot do this, you need to work with a SNAT and masq, which requires more adjustments.

Sreenivasulu Naidu · Answer

I assume you are using policy base s2s IPsec tunnel on XGS; Ensure SSLVPN RA IP pool (that you configure in SSLVPN global settings) subnet is configured in the local subnet of IPsec config on XGS and in the remote subnet of IPsec gateway of Cloud. Please verify this config and let us know if SSLVPN RA user can access your cloud resources.

XGS87 (SFOS 20.0.2 MR-2-Build378) VPN Routing Problem

Top Replies