I have setup a user remote access SSL VPN the default gateway option does not work
This is Critical
to reproduce this i have a network that is 192.168.1.X I have the user connect to VPN the users home network is 192.168.1.X I have set the settings to use the VPN as the default gateway. It does not create the route on the VPN connection and i am not able to see any network resources. if i manually create a network route like route add 192.168.1.0 255.255.255.0 Gw (VPNIP) metric 10 than the Traffic will flow correctly. the Server is not pushing that route through to the client.
Wesley,
which OS version are you using on the client side?
If it is windows, make sure you installed the SW by using "run as Administrator".
Thanks
windows 10 and yes it was installed as admin
it will create the other routes just not the default routes
Hi Wesley Heydlauff1
Thanks for the feedback. Sending you PM for more details.
Thanks,
Rana Sharma
I'm sorry but this just sounds like a recipe for disaster. It goes against all rules to have the same network subnet on both ends of a VPN tunnel, a routing nightmare, how is a device on one side supposed to know whether the other device is on the local network or the remote one? What if a device on the remote side happens to have the same IP address as something critical, say a domain controller or file server? Having the same subnet on both sides is a very, very bad idea. What if the remote side has other devices it needs to access locally, like a printer? Now it can't because the route sends traffic to another router which may be on a network with a device with the same IP but not the printer they hope to reach. One should never have to route traffic destined for the same subnet at all. What if the remote user has an IP address that is the same as one on the host network? How is a device on that network going to know traffic is coming from your remote user and not the device on its local network? I believe this is referred to as asymmetric routing, not good. I do realize these situations cannot be avoided at times, but some careful planning of the host network could have avoided this problem. Your best bet in a situation like this might be to use some form of NAT to translate your remote user's address to something else that doesn't conflict with the local subnet. That it doesn't work is a good thing, the Sophos VPN client is avoiding creating an otherwise dangerous and bad practice routing scenario.
First off this is not a site-site tunnel, the locations the remote user is at has the same IP Range as the office, the end users is using the SSL VPN Client on the PC to login to the work network, that is what the tunnel all option is for and is required for.
Same goes for being at a hotel if they use the same IP Range as your office location the VPN Client should be able to support that by using the tunnel all or use as default gateway.
This sounds eerily similar to what you describe...
community.sophos.com/.../remote-access-ssl-vpn-and-same-192-168-1-x-network-on-both-ends-xg-125
that is only needed for site-site tunnels not a VPN software client on a PC it works fine on version 17.5 not 18
client already creates a separate ip range so that is not an issue. the issue is the vpn server is not pushing the route add to the client.
I assumed your clients have done something like that - numbers serves as example.
DHCP inside company: 192.168.1.0/24Range: 192.168.1.10 - 50
DHCP VPN: 192.168.1.0/24Range: 192.168.1.51 - 70
Have you created a rule to indicate the this traffic coming from your VPN interface is allowed to go inside your network?
inside company: 192.168.1.0/24
End Users house IP network (netgear Example)
192.168.1.0/24
DHCP VPN for SSL VPN Client : 10.1.1.0/24Range: 10.1.1.51 - 70
yes there are rules if i manually add a route into the Users PC it works fine and routes how it should (Tunnel All Mode) This is the problem the SSL VPN Client does not add this route even though you add it in the SSL VPN configuration under SSL Remote Access NOT SSL site-site
route add 192.168.1.0 255.255.255.0 GW 10.1.1.51
Have you enabled to use this as default gateway?