Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN user Client does not have access other IPSec Site-to-Site VPN networks

I'm having issues connecting the VPN Client to other networks that reside on a VPN. For example, my XG has a local network of 192.168.10.0/24 and the SSL VPN users get an IP in 172.16.1.10-172.16.1.50. I also have an IPSec Site-to-Site VPN that connects my 192.168.10.0/24 to 10.10.10.0.24. When I'm on my local subnet without the VPN client, i can get to the 10 network without issue and vice versa.

In the SSL VPN user policy, i have allowed access to the local network and then have even added the remote VPN network. I have even added a VPN-to-VPN firewall rule that includes ANY for source/destination, but still can not get to the 10.10.10.0/24 network.  If I'm out and about, and connect to the VPN, I can access everything on my 192.168.10.0/24 without issue, but no traffic to the 10.10.10.0/24. 

Also another issue, the 2 XG devices seem to not be able to ping from the device itself to other network objects on the remote network, but can get to their own without issue. 

I'm not sure what else to do, as in the SonicWALL world, doing the above would have allowed it to work. 

Any help would be greatly appreciated. 



This thread was automatically locked due to age.
Parents
  • I've been battling the same issue with a new XG and Amazon VPC.

    We have our local network and a private datacenter at AWS. Our AWS connection is IPSec VPN and only accessible from the local network, so we need our remote users to be able to VPN to the local network and pass through to the AWS VPC.

    I don't fully understand the solution but the following post from Troy Thompson on SpiceWorks was the fix for us. Specifically, step one where we put 'any' for the local networks instead of the actual local networks.

    The original link is here, with a copy/paste of the solution below:

     

    Discovered that the Amazon VPC IPSEC feature creates one--and ONLY one--SA per connection. This means only one subnet gets permitted down the VPN at a time.

    The fix: 

    1. On the Sophos, Site-to-site VPN IPSec Connections tab, edit the Amazon connection and set Local Networks to contain Any IPv4 instead of the "actual" local networks.
    2. On the Amazon VPC panel, VPN Connections tab, edit the VPN connection Static Routes to contain the "actual" subnets on the Sophos side of the connection, including the Sophos SSL VPN subnet blocks, LAN, etc.
    3. Verify firewall rules are correct on the Sophos to permit traffic from the Amazon VPC network.
    4. Verify Security Groups are correct on the Amazon side to allow traffic to/from the Sophos end.

    Success!

     

    -mitchel

  • Reviving this thread.

    I have the exact same issue, and I understand one fix is to make the other side of IPSEC aware of the SSL VPN range, but I don't want to do that.

    What I'd like to do is perform a NAT on the SSL VPN clients, so that they're natted behind Sophos XG Lan IP then only routed to IPSEC

    Is that possible?

  • Ok, so adding a manual route using the command abox, and attaching a NAT policy for the LAN ip address did the trick!

Reply Children
  • I struggled with this for a while too.   I was sure my firewall rules were correct but the one thing I missed was to add the remote subnet as a permitted network resource in the SSL VPN settings.  I only had my local subnet added at first.  As soon as I added the subnet of the other site, I could access it.  I didnt have to add a static route in the console.