Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 297 views
  • Users 0 members are here
Options
Suggested

VPN FQDN/website reroute and remote subnet access

Oliver Zoisl

I've created a site-to-site VPN connection from my default-local-LAN (10.10.0.0/24) to default-offsite-LAN(10.0.1.0/24). I used the wizard. I didn't configure a local/remote ID. The connection itself works fine. I made rules which allow all traffic from VPN local-sub to offsite-sub and vice versa.

Now the first problem. I can ping all devices in through the VPN connection but for example I can't access the unifi web portal 10.0.1.5:8443, nor other devices. I also activated sophos web portal access through VPN and i can't reach it (only access checked on offsite)

The other thing i want, is to route a FQDN from offsite to the local WAN connection. I made a rule on offsite that source:LAN net:offsite | target:VPN net:*.example.com
On the local I've source:VPN net:offsite | traget:WAN any
I don't know how to make the correct rule.

General info
The main sophos is directly connected to the internet. The offsite is behind a NAT (I guess it would be only a problem for the general connection)
I also read the documentation. I'm not sure if site-to-site or XFRM is better for what I want.

I considered using the same subnet for my local unifi and offsite but I think the better way is to leave both sides control on their own.

Anyone tips and tricks for me?



Added TAGs
[edited by: Raphael Alganes at 1:56 PM (GMT -8) on 10 Jan 2025]
Parents
  • 0

    One problem that you mentioned is that you are not able to access the Sophos admin portal through the VPN and also some specific ports. Did you check if firewall is dropping these connection packets ? Which SFOS release version are you on ? 

  • 0 in reply to Nikhil Bhandari

    I'm on the latest version SFOS 21.0.0 GA. I don't know where I can find if packets are being dropped. I found some other things out. 
    When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1'  (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.

    openspeedtest over http therefore is no problem at all. It's only somehow SSL traffic.

Reply
  • 0 in reply to Nikhil Bhandari

    I'm on the latest version SFOS 21.0.0 GA. I don't know where I can find if packets are being dropped. I found some other things out. 
    When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1'  (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.

    openspeedtest over http therefore is no problem at all. It's only somehow SSL traffic.

Children
No Data
Unfiltered HTML