Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN user Client does not have access other IPSec Site-to-Site VPN networks

I'm having issues connecting the VPN Client to other networks that reside on a VPN. For example, my XG has a local network of 192.168.10.0/24 and the SSL VPN users get an IP in 172.16.1.10-172.16.1.50. I also have an IPSec Site-to-Site VPN that connects my 192.168.10.0/24 to 10.10.10.0.24. When I'm on my local subnet without the VPN client, i can get to the 10 network without issue and vice versa.

In the SSL VPN user policy, i have allowed access to the local network and then have even added the remote VPN network. I have even added a VPN-to-VPN firewall rule that includes ANY for source/destination, but still can not get to the 10.10.10.0/24 network.  If I'm out and about, and connect to the VPN, I can access everything on my 192.168.10.0/24 without issue, but no traffic to the 10.10.10.0/24. 

Also another issue, the 2 XG devices seem to not be able to ping from the device itself to other network objects on the remote network, but can get to their own without issue. 

I'm not sure what else to do, as in the SonicWALL world, doing the above would have allowed it to work. 

Any help would be greatly appreciated. 



This thread was automatically locked due to age.
  • I tried that over the weekend still no luck. I'll see if I can get Sophos support. Thanks for your help. 

  • Hello,
    I have the same problem.
    Do you find a solution?
    Thanks for your replay.
    Christian

  • Hello

    I have the same issue, I have tried all the above mentioned answers with no luck, would appreciate if someone replies how did he manage to get it working?

    Thanks is advance.

  • Does the other end of the VPN tunnel have a route back to the SSL VPN subnet?  I found this was my issue.  Both ends need to be aware of the networks connecting to them so they can route appropriately.

  • Yes, thank you, I figured it out right after I posted here, since my remote resources doesn't have the XG as its default gateway, I added a static route for the SSL VPN subnet and it worked :)

     

    Thank you,

    Ahmed Hegazy

  • I've been battling the same issue with a new XG and Amazon VPC.

    We have our local network and a private datacenter at AWS. Our AWS connection is IPSec VPN and only accessible from the local network, so we need our remote users to be able to VPN to the local network and pass through to the AWS VPC.

    I don't fully understand the solution but the following post from Troy Thompson on SpiceWorks was the fix for us. Specifically, step one where we put 'any' for the local networks instead of the actual local networks.

    The original link is here, with a copy/paste of the solution below:

     

    Discovered that the Amazon VPC IPSEC feature creates one--and ONLY one--SA per connection. This means only one subnet gets permitted down the VPN at a time.

    The fix: 

    1. On the Sophos, Site-to-site VPN IPSec Connections tab, edit the Amazon connection and set Local Networks to contain Any IPv4 instead of the "actual" local networks.
    2. On the Amazon VPC panel, VPN Connections tab, edit the VPN connection Static Routes to contain the "actual" subnets on the Sophos side of the connection, including the Sophos SSL VPN subnet blocks, LAN, etc.
    3. Verify firewall rules are correct on the Sophos to permit traffic from the Amazon VPC network.
    4. Verify Security Groups are correct on the Amazon side to allow traffic to/from the Sophos end.

    Success!

     

    -mitchel

  • Reviving this thread.

    I have the exact same issue, and I understand one fix is to make the other side of IPSEC aware of the SSL VPN range, but I don't want to do that.

    What I'd like to do is perform a NAT on the SSL VPN clients, so that they're natted behind Sophos XG Lan IP then only routed to IPSEC

    Is that possible?

  • Ok, so adding a manual route using the command abox, and attaching a NAT policy for the LAN ip address did the trick!

  • I struggled with this for a while too.   I was sure my firewall rules were correct but the one thing I missed was to add the remote subnet as a permitted network resource in the SSL VPN settings.  I only had my local subnet added at first.  As soon as I added the subnet of the other site, I could access it.  I didnt have to add a static route in the console.

  • Hello Mitchel!!

    For a long time I was going through this situation, but mine just didn't work when I enabled VPN failover, where I have 2 ISP providers and when I enabled the Sophos XG feature, it just didn't traffic data between SSL VPN users with my servers on AWS on which I had an IPSec VPN closed directly with VPC in the Virginia US region.

    When I applied the procedure that you demonstrate that basically it is not to specify the local network, but, to put just Any, it worked perfect, and I was able to enable IPSec failover with AWS, that made me more relaxed.

    Thank you!