Site to site VPN (SSL) with default gateway?

Hi Alex,

Depends on where you've configured the SSL Connection.  Either put "Internet IPv4" into 'Local Networks' in the main office or into 'Remote Networks' in the branch and then reload the new client in the other site.  Using "Any" should work, but, in my experience, using it can cause problems.

Cheers - Bob

Hi BAlfson,
thank you for your answer!

What do you mean by "then reload the new client in the other site"? Just switching off the branch office connection and turn back on? Or create a new connection with the downloaded .apc file? I ask, because it is not working with putting "Internet IPv4" into 'Local Networks' in the main office.

The connection was made long time ago, so I don't remember what I did exactly, but as long as I'm not a professional, I think I just configured the server/headquarter connection and downloaded the configuration .apc and installed it in the branch office UTM.

Is above also correct for a IPsec VPN connection (2x UTM with IPsec VPN and BO should use HQ's GW)?

Thanks a lot,
Alex

Thank you for your reply!

Please remember, I have a working Site2Site SSL connection (and in the meantime a working IPsec connection, also). Everything is fine with both connections so I think ISP-Router... should be ok.

What I didn't achive, yet, is to force the BO-UTM to use the HQ-UTM as DefaultGateway. If I put "InternetIPv4" in the local- network of HQ-UTM VPN connection, the tunnel gets established, but no more traffic is possible.

Best regards, Alex

Just to clarify: normal access to the internet from Homeoffice devices behind the firewall is working?

Or is it only the webproxy, that's working for the clients behind the UTM?

Yes, Alex, I much prefer IPsec site-to-site over the SSL VPN.

Cheers - Bob

Yes, everything is working since a long time. BO can access internet, BO can access resources in HQ, everything is fine.

Ok, so let's switch to IPsec

The first picture shows the working IPsec connection from BO to HQ. BO can access (its own) internet, BO can access resources in HQ. 1.) is the BO public IP from ISP, 2.) public IP from HQ.
If I use another VPN ID the connection will die.

Now I add "Internet IPv4" to "Local networks" in HQ IPsec connection (HQ is "respond only" since it is my VPN "Server" with a fixed public IP)

Now, the IPsec connection is broken, BO cannot access (its own) internet nor access resources on HQ network, anymore.
Any ideas? Is the VPN ID the problem, since it it used twice?

0.0.0.0/0 looks more like "Any" than "Internet IPv4."  How about pictures of the Edits of the IPsec Connection and Remote Gateway for BO and HQ?

Cheers - Bob

"Internet IPv4" is actually configured as "0.0.0.0/0" and is bound to "External (WAN)". This was done by Sophos first installation assistant, I think.
Pictures follow :-)

Branch Office, IPsec Gateway

Branch Office, IPsec Conn

Branch Office, IPsec Local RSA

Branch Office, IPsec Advanced

Headquarter, IPsec Gateway

Headquarter, IPsec Connection

Headquarter, IPsec Local RSA Key

Headquarter, IPsec Advanced

Since you aren't using RSA keys, Alex, those settings should have no effect.

I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends.  I usually select 'Enable probing of preshared keys' on the "Respond only" end.

To get all traffic from the branch to go through HQ, Just add "Internet IPv4" to 'Local Networks' in HQ and to 'Remote Networks' in the branch office.

Any better luck?

Cheers - Bob

Since you aren't using RSA keys, Alex, those settings should have no effect.

I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends.  I usually select 'Enable probing of preshared keys' on the "Respond only" end.

To get all traffic from the branch to go through HQ, Just add "Internet IPv4" to 'Local Networks' in HQ and to 'Remote Networks' in the branch office.

Any better luck?

Cheers - Bob

No, unfortunately not. 

> I like to leave 'Preshared Key Settings' in the default mode with the IP empty on both ends
If I don't put the public IP, the tunnel cannot be established anymore.

Do I maybe miss some masquerading/NAT rules since both UTMs are behind ISP routers (both routers have portforwardings for 500/UDP, 4500/UDP and 1701/UDP to the External(WAN) IF of corresponding UTM? Could this confuse the NAT-T setting? 

And I think about resetting the BO UTM completely, since I have physical access to it, but I have some feelings, that this may not solve the problem. The BO hardware was replaced by a new one and I imported a configuration from the old hardware. BTW: is there a "Best practice"-Guide for setting up a basic UTM device or is the installation wizard just fine?

Best regards, Alex

You're right, Alex, you do need to specify an IP.  I can't see why things don't work then, so your might open a case with Sophos Support.

Cheers - Bob