VPN FQDN/website reroute and remote subnet access

I've created a site-to-site VPN connection from my default-local-LAN (10.10.0.0/24) to default-offsite-LAN(10.0.1.0/24). I used the wizard. I didn't configure a local/remote ID. The connection itself works fine. I made rules which allow all traffic from VPN local-sub to offsite-sub and vice versa.

Now the first problem. I can ping all devices in through the VPN connection but for example I can't access the unifi web portal 10.0.1.5:8443, nor other devices. I also activated sophos web portal access through VPN and i can't reach it (only access checked on offsite)

The other thing i want, is to route a FQDN from offsite to the local WAN connection. I made a rule on offsite that source:LAN net:offsite | target:VPN net:*.example.com
On the local I've source:VPN net:offsite | traget:WAN any
I don't know how to make the correct rule.

General info
The main sophos is directly connected to the internet. The offsite is behind a NAT (I guess it would be only a problem for the general connection)
I also read the documentation. I'm not sure if site-to-site or XFRM is better for what I want.

I considered using the same subnet for my local unifi and offsite but I think the better way is to leave both sides control on their own.

Anyone tips and tricks for me?

Added TAGs
[edited by: Raphael Alganes at 1:56 PM (GMT -8) on 10 Jan 2025]

Top Replies

LuCar Toni 2 months ago in reply to Oliver Zoisl +2 suggested

The XFRM interface is a tunnel interface. Think like a cable between both. So you need to give it an IP in the same range (XGS 1 and XGS2). Check here: Sophos Firewall: VPN & SD-WAN Zero Downtime Failover…

0 Clint Tate 3 months ago

I have been trying to do this for a while, I don't think sophos can do it. I know fortigate can do this.
- 0 Oliver Zoisl 3 months ago in reply to Clint Tate
  
  Doing what? The reroute?
  - 0 Clint Tate 3 months ago in reply to Oliver Zoisl
    
    Yeah, we are an MSP with some WFH users, We have locked connectwise and IT Glue Portals to our WAN IP, so we want traffic for those sites to flow through the VPN, but not everything else..
  - 0 Oliver Zoisl 2 months ago in reply to Clint Tate
    
    I guess its a bit larger company? Maybe static routes through the VPN to the IPs of the services could do it. I guess it's easier with IPs then FQDN (I don't know how to NAT it xD). If I find a way I'll let u konw.
0 Nikhil Bhandari 3 months ago

One problem that you mentioned is that you are not able to access the Sophos admin portal through the VPN and also some specific ports. Did you check if firewall is dropping these connection packets ? Which SFOS release version are you on ?
- 0 Oliver Zoisl 3 months ago in reply to Nikhil Bhandari
  
  I'm on the latest version SFOS 21.0.0 GA. I don't know where I can find if packets are being dropped. I found some other things out.
  When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1' (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.
  
  openspeedtest over http therefore is no problem at all. It's only somehow SSL traffic.
0 Oliver Zoisl 3 months ago

Here everything i found out so far

From Offsite to Local
I can connect/reach to my Unifi webUI, Proxmox UI and TrueNAS UI but not Sophos UI (I tried everything active in the VPN ACL)

From Local to Offsite
When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1' (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.

openspeedtest over http therefore is no problem at all. It's only somehow SSL traffic.

Firmware
Both are on SFOS 21.0.0 GA
- 0 Nikhil Bhandari 2 months ago in reply to Oliver Zoisl
  
  I am assuming the below topology:
  
  Machine on Local LAN (M1) <==> Local SFOS <== tunnel ==> Offsite SFOS <==> Machine on offsite LAN (M2)
  
  Oliver Zoisl said:
  I can connect/reach to my Unifi webUI, Proxmox UI and TrueNAS UI but not Sophos UI (I tried everything active in the VPN ACL)
  
  For this, I am assuming, you are trying to access Local SFOS UI from M2. Is it on the Local SFOS LAN IP or WAN IP ? If it is WAN IP of Local SFOS, you need to add that IP in the remote subnet configuration of the IPSec tunnel on Offsite SFOS and similarly the local subnet on the Local SFOS IPSec tunnel configuration. If it is LAN IP, then enable the HTTPS on LAN in the admin ACL of Local SFOS.
  
  Oliver Zoisl said:
  When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1' (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.
  
  This I need to understand a bit more. How are you initiating a web UI connection from the Local SFOS to the Offsite SFOS ? They should be anyways reachable because the tunnel got established only if they are reachable. The unifi command that you are giving is from the machine M1 (in the topology above) ?
  - 0 Oliver Zoisl 2 months ago in reply to Nikhil Bhandari
    
    Yes, local LAN is on 10.10.0.0/24, offsite LAN 10.0.1.0/24, both have the firewall on .1
    
    It's the LAN IP of the SFOS and i enabled the HTTPS access in the ACL. I even enabled all for testing but i can't connect.
    The first part with the WAN IP i didn't quite understand. For that I would need the enable the HTTPS access on the WAN ACL too?
    But I think it wouldn't work anyways because offsite SFOS is behind an ISP router (double NAT)
    
    Sorry, the commands are used on my PC. I see why it was not clear to understand.
    For Unifi I can "force" connection when i ran openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1' in the CLI
    For proxmox I have to connect via ssh to reach the webUI, the openssl cert thing doesn't work
    
    The SFOS webUI I could never reach.
0 LuCar Toni 2 months ago

If you can, move to XFRM / Route based VPN. It should solve this issue. Could be a potential MTU issue, which is being addressed by xFRM.

__________________________________________________________________________________________________________________
- 0 Oliver Zoisl 2 months ago in reply to LuCar Toni
  
  Okay I should be able to test this. There is no way to change this with site-to-site?
  
  I guess it's no problem to use xfrm. The only inconvenience i see is that the interface has its own subnet.
- 0 Oliver Zoisl 2 months ago in reply to LuCar Toni
  
  I tested the max MTU local and over the VPN. The max on both local is 1472 and over the VPN it's 1346. This overhead from the VPN seems about right for me. Wouldn't it be the same with XFRM?
  
  How can I create an XFRM interface? The documentation shows Local ID type: Select local ID but this is not usable with the tunnel option for me.
  
  On the other options (DNS,IP,email) i don't understand what I should put in. Does it have to be the same on both devices? the IP of the interface LAN/VPN? needs the email to be accessible to the SFOS?
  - 0 PhilippRusch 2 months ago in reply to Oliver Zoisl
    
    Hello Oliver,
    
    "Lokale ID" is easy: you have ID for the local firewall device and one for the remote firewall device. You can choose for each device, which one you want. For "Email" you for instance, you can choose any email you want, that one will not be used for any mail traffic, it is only an identifier and even doesn't have to exist. It just needs to have the right format like localdonald@duck.com. And for the other side it has to be used vice versa. So there is local = remote and remote = local.
    
    Mit freundlichem Gruß, best regards from Germany,
    
    Philipp Rusch
    
    New Vision GmbH, Germany
    Sophos Silver-Partner
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 Oliver Zoisl 2 months ago in reply to PhilippRusch
    
    Hello Philipp,
    
    thanks for the answer.
- 0 Oliver Zoisl 2 months ago in reply to LuCar Toni
  
  I've tried with the XFRM but I didn't quite know how to configure it yet. Also my "normal" site-to-site doesn't work anymore.
  
  The IP in the XFRM Interface is the internal for the tunnel and has to be on the same subnet for both firewalls? But how do i configure the Gateway for it? The logs shows problems with the gateway.
  - 0 LuCar Toni 2 months ago in reply to Oliver Zoisl
    
    The XFRM interface is a tunnel interface. Think like a cable between both. So you need to give it an IP in the same range (XGS 1 and XGS2).
    
    Check here: Sophos Firewall: VPN & SD-WAN Zero Downtime Failover - Best Practice Guide
    
    __________________________________________________________________________________________________________________
  - 0 Oliver Zoisl 2 months ago in reply to LuCar Toni
    
    Tanks, I found the problem for the initial connection. I had on the offsite local/remote ID and local email configured.
    I still don't get it why MTU should be the problem. The max MTU is still 1346.
    
    But other than in the guide i had to choose a local and remote subnet. The Gateways shows always red on both sides. I don't know whats the problem there.
    
    Now I still need to figure out how to reroute the traffic, but I think SD-WAN-route is the way to go.

VPN FQDN/website reroute and remote subnet access

Top Replies

Here everything i found out so far