Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 47 subscribers
  • Views 75150 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN connected but no trafic

cmezza

Hello,

I've setup XG Firewall in a home environment, I can connect remotely via SSL VPN, but then I can't reach any machine in the LAN despite following the steps of this guide

I used to use UTM9, without an issue, at least regarding SSL VPN access. This one is giving me a headache: I can't tell whether it's a firewall policy or routing issue, or something else.

The XGF is a virtualized appliance (ESXi 6.0) with Port A in LAN (10.0.x.x/16) Port B in WAN (192.168.1.x/24) (I have no use for Port ,C for now). WAN is an ISP router with low firewall settings, and NAT rules for the XGF's Port B (8443/SSL VPN and 443/User Portal). 

With the default settings, I can connect remotely but that's it. I just tried connecting an Android phone and my laptop, which get IP addresses 10.81.234.6 & .7. Neither can ping each other (guest isolation I suppose), or reach any machine in the 10.0.x.x/16 range.

The guide mentioned above says to create a firewall policy to allow WAN to LAN trafic for a specific user or group. But aren't remote users in the VPN zone ? I coudn't see any trafic logged with WAN as the source, but as soon as I added VPN, I did see a few KB being added, but my devices are still locked out of the LAN, or can't find their route....

Currently, none of the machines in the LAN have the XGF as their default gateway. I want to have it properly configured prior to switching. It shouldn't be a problem, though (?)



This thread was automatically locked due to age.
  • 0
    You say none of the machines on the lan have the XG as their default GW.... then they will not know how to route the traffic back to the 10.81.234/24 subnet.

    Change ONE machine to use the xg as its gateway and see if you can pass traffic to that one machine from your connected devices.

    --

    Chavous Camp

    UTM, SMC, SGN Certified Engineer / XG Certified Architect

  • 0
    Other check list would be check on your SSL VPN client if you have routes for the remote network, If you have routes then the next step would be to see the vpn to lan policy make sure you have one if its still in place please follow ChavousCamp s instructions


    if you dont see the routes you need to configure your SSL VPN remote access policy to allow your Local LAN network.
  • 0

    I have the same problem with an IPsec connection between a XG85w and a UTM SG135. Both firewall reports that the tunnel is up and running but traffic will not cross the vpn tunnel. And it is not a gateway problem! All is setup propper on the clients. An IPsec tunnel between this UTM and a second another UTM is running fine. I have tested many different Policies settings on the XG85 but without any success. A traceroute "ends" on the XG85. No errors will be reported in the logfiles. Just nothing. Form me it seems that the XG85 firmware has a bug. Doe's some else has a working IPsec tunnel running on a XG85? If so can you please report how the setup is made to verify with my setup? Thanks a lot in advance!

  • 0
    Even after setting it up as a gateway, I spent over 8 hours trying every which way I could with no luck. I spent days readying this box to deploy and got stuck on something as easy as VPN. The instruction simply do not work. Very frustrating.
  • 0
    ChavousCamp did provide a helpful tip. I have now set the XG as the default gateway everywhere, but the only thing I could achieve is ping a machine on the VPN from the LAN. VPN to LAN is just not working.
    I'm glad I'm not the only one having such a problem.

    I'd like to see comments from folks who got their SSL VPN to work, and if so what IP ranges do they use, and what is the possible difference that makes it work...
  • 0 in reply to cmezza
    You can't get it to work. The problem is that the SSL VPN doesn't provide any way to give up routes. I was troubleshooting the connection the other day and it simply doesn't provide static routes to other LAN zones. It also added 3 different static routes to my external IP. The L2TP and the Cisco VPN client do provide this option.
  • 0
    I had the same issue until I added a firewall rule to allow traffic
    SOURCE: VLAN/ANY
    DEST: LAN/ANY
    WHAT: ANY
  • +1

    I suspect it's a question of having correct firewall policies, like EdDe Sousa suggests. I initially had the same problem and believe I have solved it now.

    At first I was not able to connect outside through the VPN, but after adding the "VPN" zone to the "#Default_Network_Policy" that started working correctly.

    The second issue was traffic from the VPN to LAN (and DMZ and other custom zones that I have created). When connected over SSL VPN, I was able to perform DNS lookups and access remote IPs, and could ping the appliance at its various ports (i.e. can ping to all the x.x.x.1 addresses on the ports, which I have mapped to various zones), but I couldn't seem to ping (or otherwise access) IPs within those zones/networks.

    First I added a blanket rule with: Source=VPN/Any; Destination={LAN,DMZ,etc.}/Any; Service=Any

    Initially that policy was showing no reported traffic and didn't appear to be working. I discovered the rest of the answer in this discussion:

    https://community.sophos.com/products/xg-firewall/f/46/t/10975

    The trick was that I had to create "IP Host" objects (IP ranges did not work, but hosts and networks with masks did for this purpose), e.g. create a named object for your LAN (10.0.x.x in your case), and then go to the Settings > VPN >  SSL VPN (Remote Access), find your access configuration, and under "Tunnel Access" you have to add to your Permitted Network Resources all the IP Host objects that you created that correspond to the various internal networks that you want your remote VPN users to be able to access. Once I did that and applied the changes, everything seemed to be working correctly.

  • 0 in reply to BrianCarp
    Great find. I remember seeing that other discussion, but must have read it too quickly.
    Thanks for taking the time to explain in details. I was missing that "IP Host" object, and after a couple adjustments, it was finally working like it used to with UTM9... :)
  • 0 in reply to BrianCarp

    Great help, but there is no need to add single IP Hosts. I added a IP Host and selected Network and did it for 192.168.1.0/24.

Unfiltered HTML