This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site VPN (SSL) with default gateway?

Hi,

I have a SSL site-to-site VPN connection between headquarter and branch office.
What do I need to set to get ALL traffic from branch office routed through headquarter GW? I cannot find a "default gateway" option.

Thank you very much for help,
Alex



This thread was automatically locked due to age.
Parents
  • Hi Alex,

    Depends on where you've configured the SSL Connection.  Either put "Internet IPv4" into 'Local Networks' in the main office or into 'Remote Networks' in the branch and then reload the new client in the other site.  Using "Any" should work, but, in my experience, using it can cause problems.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,
    thank you for your answer!

    What do you mean by "then reload the new client in the other site"? Just switching off the branch office connection and turn back on? Or create a new connection with the downloaded .apc file? I ask, because it is not working with putting "Internet IPv4" into 'Local Networks' in the main office.

    The connection was made long time ago, so I don't remember what I did exactly, but as long as I'm not a professional, I think I just configured the server/headquarter connection and downloaded the configuration .apc and installed it in the branch office UTM.

    Is above also correct for a IPsec VPN connection (2x UTM with IPsec VPN and BO should use HQ's GW)?

    Thanks a lot,
    Alex




  • Yes, Alex, "create a new connection with the downloaded .apc file" and it sounds like you did that.  Please insert a picture of the Edit of the Server definition.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA



  • So, the new SSL connection can be established, but no traffic is possible, neither to resources on HQ network nor internet access. What else do I miss?

  • If you downloaded the "configuration for remote tunnel endpoint" and installed it in your home UTM, I don't see why this won't work.  How about a picture of the Edit of the home 'Client' Connection...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Not too much to see here. This is the freshly imported file from HQ.
    Maybe a firewall rule?
    Better chance with IPsec?




    UPDATE: now I established an IPsec connection also. It seems to be more performant, so may be I should move from SSL to IPsec site2site anyway. Would the procedure be the same for IPsec to use the HQ UTM as default gateway (not to forget, both UTM's are behind an ISP's router)?

    ATM I don't have physical access to the HQ UTM, I'm currently connected through a OpenVPN client on my notebook over UTM's SSL Remote Access. So I need to be very careful with dis-/enabling firewall rules etc., because I don't want to kick me out of the UTM's.


    Best regards, Alex


    added UPDATE
    [edited by: GerdMehsel at 2:19 PM (GMT -7) on 29 Mar 2022]
  • Hello,

    did you just change from a single place / single device setup in your to homeoffice to this setup with a firewall?

    How do you handle the network "behind" the Sophos UTM firewall in your ISP-router?

    If you did not configure the network, then your tunnel would get established, because the router "sees" the UTM, BUT: none of the devices behind that UTM will get routed anywhere.

    I think this is your problem.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you for your reply!

    Please remember, I have a working Site2Site SSL connection (and in the meantime a working IPsec connection, also). Everything is fine with both connections so I think ISP-Router... should be ok.

    What I didn't achive, yet, is to force the BO-UTM to use the HQ-UTM as DefaultGateway. If I put "InternetIPv4" in the local- network of HQ-UTM VPN connection, the tunnel gets established, but no more traffic is possible.

    Best regards, Alex

  • Just to clarify: normal access to the internet from Homeoffice devices behind the firewall is working?

    Or is it only the webproxy, that's working for the clients behind the UTM?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, Alex, I much prefer IPsec site-to-site over the SSL VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, everything is working since a long time. BO can access internet, BO can access resources in HQ, everything is fine.

  • Ok, so let's switch to IPsec

    The first picture shows the working IPsec connection from BO to HQ. BO can access (its own) internet, BO can access resources in HQ. 1.) is the BO public IP from ISP, 2.) public IP from HQ.
    If I use another VPN ID the connection will die.

    Now I add "Internet IPv4" to "Local networks" in HQ IPsec connection (HQ is "respond only" since it is my VPN "Server" with a fixed public IP)

    Now, the IPsec connection is broken, BO cannot access (its own) internet nor access resources on HQ network, anymore.
    Any ideas? Is the VPN ID the problem, since it it used twice?

     

Reply
  • Ok, so let's switch to IPsec

    The first picture shows the working IPsec connection from BO to HQ. BO can access (its own) internet, BO can access resources in HQ. 1.) is the BO public IP from ISP, 2.) public IP from HQ.
    If I use another VPN ID the connection will die.

    Now I add "Internet IPv4" to "Local networks" in HQ IPsec connection (HQ is "respond only" since it is my VPN "Server" with a fixed public IP)

    Now, the IPsec connection is broken, BO cannot access (its own) internet nor access resources on HQ network, anymore.
    Any ideas? Is the VPN ID the problem, since it it used twice?

     

Children
  • 0.0.0.0/0 looks more like "Any" than "Internet IPv4."  How about pictures of the Edits of the IPsec Connection and Remote Gateway for BO and HQ?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • "Internet IPv4" is actually configured as "0.0.0.0/0" and is bound to "External (WAN)". This was done by Sophos first installation assistant, I think.
    Pictures follow :-)

  • Branch Office, IPsec Gateway

    Branch Office, IPsec Conn

    Branch Office, IPsec Local RSA

    Branch Office, IPsec Advanced

  • Headquarter, IPsec Gateway

    Headquarter, IPsec Connection

    Headquarter, IPsec Local RSA Key

    Headquarter, IPsec Advanced

  • Since you aren't using RSA keys, Alex, those settings should have no effect.

    I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends.  I usually select 'Enable probing of preshared keys' on the "Respond only" end.

    To get all traffic from the branch to go through HQ, Just add "Internet IPv4" to 'Local Networks' in HQ and to 'Remote Networks' in the branch office.

    Any better luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, unfortunately not. 

    I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends
    If I don't put the public IP, the tunnel cannot be established anymore.

    Do I maybe miss some masquerading/NAT rules since both UTMs are behind ISP routers (both routers have portforwardings for 500/UDP, 4500/UDP and 1701/UDP to the External(WAN) IF of corresponding UTM? Could this confuse the NAT-T setting? 

    And I think about resetting the BO UTM completely, since I have physical access to it, but I have some feelings, that this may not solve the problem. The BO hardware was replaced by a new one and I imported a configuration from the old hardware. BTW: is there a "Best practice"-Guide for setting up a basic UTM device or is the installation wizard just fine?

    Best regards, Alex

  • You're right, Alex, you do need to specify an IP.  I can't see why things don't work then, so your might open a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA