HTML5-VPN: How to access ressources behind IPsec tunnel?

Question

Hi!

I've set up an IPsec site to site tunnel between two XG Firewalls (called "XGA" and "XGB") and almost everything is working fine, except one thing:

It seems that the XGs itself don't have a route to the opposite end of the tunnel. For example, if I set up a bookmark for a resource, which is in XGB's subnet, I cannot connect to it within XGA's user portal and vice versa. The same does work perfectly when accessing a resource which is not behind the IPsec tunnel.

I've already observed the connection using the built in packet sniffer and it seems that traffic which is generated by XGA gets routed through Port1 (WAN interface) instead of ipsec0. Setting up static routes fails because the web interface won't let me choose ipsec0 as a gateway interface.

Firewall rules do exist for VPN<->LAN, LAN<->VPN and VPN<->VPN on both XGs.

Is there anything I'm missing? I had the same problem with the UTM and never got it to work :-(

Thanks for any help!

This thread was automatically locked due to age.

Kranthi · Accepted Answer

This can be achieved using 2 different ways. The known behavior is you cannot reach the network behind XGB unless you make some adjustments in the tunnel and advanced CLI settings. 
 
Option 1 : You can have the WAN interface of XGB talk to the network on XGB so that it can reach the resource you defined on the bookmarks. For this all you need to do is include the WAN IP of XGA in the local networks of VPN tunnel of XGA and the remote networks of XGB and if you need a vice versa you can do a similar config the other way around. 
 
Make sure you enable the https ssh management for device access for VPN Zone because you might loose access once the tunnel is up with the WAN ip s going thru the tunnel. This should get you the access of resources in both directions from XGA and XGB.

Option 2: in the previous method we have seen the communication happens from the WAN, now we can have XGA talk to the XGB using the LAN zone interface which involves some config from the CLI option 4 
 
1. set advanced-firewall sys-traffic-nat add destination 10.20.13.45 snatip 10.19.13.1 
 
In this command 10.20.13.45 is the ip on the remote network behind XGB and 10.19.13.1 is XGA s LAN interface 
 
2. system ipsec_route add host 10.20.13.45 tunnelname test

In this command 10.20.13.45 is again the IP address of the host you wanted to reach Via the HTML5 VPN and tunnel name is the IPsec tunnel in question. 
 
I would prefer option 2 than option 1 but you have something to try if one does not work

lferrara · Answer

Oxident, 
 
without a proper static route all traffic by default will be forwarded to WAN interface. 
So you need to create a static route. Have a look at command you find at pag 36. Here the CLI Guide: docs.sophos.com/.../Sophos Firewall OS CLI Guide.pdf 
 
Let us know. 
 
Luk