Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTML5-VPN: How to access ressources behind IPsec tunnel?

Hi!

I've set up an IPsec site to site tunnel between two XG Firewalls (called "XGA" and "XGB") and almost everything is working fine, except one thing:

It seems that the XGs itself don't have a route to the opposite end of the tunnel. For example, if I set up a bookmark for a resource, which is in XGB's subnet, I cannot connect to it within XGA's user portal and vice versa. The same does work perfectly when accessing a resource which is not behind the IPsec tunnel.

I've already observed the connection using the built in packet sniffer and it seems that traffic which is generated by XGA gets routed through Port1 (WAN interface) instead of ipsec0. Setting up static routes fails because the web interface won't let me choose ipsec0 as a gateway interface.

Firewall rules do exist for VPN<->LAN, LAN<->VPN and VPN<->VPN on both XGs.

Is there anything I'm missing? I had the same problem with the UTM and never got it to work :-(

Thanks for any help!  



This thread was automatically locked due to age.
Parents
  • This can be achieved using 2 different ways. The known behavior is you cannot reach the network behind XGB unless you make some adjustments in the tunnel and advanced CLI settings.

    Option 1 : You can have the WAN interface of XGB talk to the network on XGB so that it can reach the resource you defined on the bookmarks. For this all you need to do is include the WAN IP of XGA in the local networks of VPN tunnel of XGA and the remote networks of XGB and if you need a vice versa you can do a similar config the other way around.

    Make sure you enable the https ssh management for device access for VPN Zone because you might loose access once the tunnel is up with the WAN ip s going thru the tunnel. This should get you the access of resources in both directions from XGA and XGB.


    Option 2: in the previous method we have seen the communication happens from the WAN, now we can have XGA talk to the XGB using the LAN zone interface which involves some config from the CLI option 4

    1. set advanced-firewall sys-traffic-nat add destination 10.20.13.45 snatip 10.19.13.1

    In this command 10.20.13.45 is the ip on the remote network behind XGB and 10.19.13.1 is XGA s LAN interface

    2. system ipsec_route add host 10.20.13.45 tunnelname test


    In this command 10.20.13.45 is again the IP address of the host you wanted to reach Via the HTML5 VPN and tunnel name is the IPsec tunnel in question.

    I would prefer option 2 than option 1 but you have something to try if one does not work
  • Thanks Kranthi.
    On Sophos CLI pag 45 you forgot to mention. sys-traffic-nat option is there but description is missing.

    Anyway thank you for you advice.

    Luk
Reply Children
No Data