This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec with multiple subnets

I have recently aquired a sophos firewall at work and I have successfully created a IPSec tunnel with a remote site ( IPSec Site-to-Site ) that is attached to our LAN network.

( Users can connect to this remote site via the LAN network flawlessly )

After the pandemic, most of the users are remote working and now using a VPN SSL connection ( which I assigned them to a different IP addrerss pool ) to connect to the LAN network and use a printer or other any other local servers.

My boss has asked me to allow these remote working users to access the previously mentioned remote site that are using the VPN SSL.

So, I added the VPN SSL network with automatic firewall rules under the "Local Networks" in the IPSec Site-to-Site VPN and added the VPN SSL network in the remote site firewall as well.

I can access the remote site's IIS7 webpage but can't ping nor see it's network mapped drives.

My guess is that there is a firewall rule or a filter that is messing up something. 

I looked into some older forums/answers that mentions SNAT,

Can anyone help me? 

Thanks!!

Edit- The Sophos Firewall is a UTM 9



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community! 

    Go to Network Protection > NAT > New NAT Rule > Select type as SNAT

    • For traffic from: VPN Pool (SSL)
    • Using services: Any
    • Going to: Remote IPsec network

    Action: 

    • Change the source to Internal(Address) >> IP address of the LAN interface.

    Reference screenshot:

    Thanks,

  • Hello H_Patel, thank you for replying, 

    I will provide more screen shots to help with my issue,

    • IPSec firewall rules that are created automatically
    • IPSec Connection setup
    • SSL VPN Connection setup

    Thanks once again for your help!! 

  • FormerMember
    0 FormerMember in reply to Nick AD

    Hi ,

    Thanks for providing the screenshots. 

    If the configuration is correct, did you download the new SSL VPN configuration after adding the remote IPsec network under the local network? 

    I would suggest you run a packet capture (tcpdump) on the firewall on a destination IP address and espdump.

    SSH into UTM by following this KBA and switch to the root user: Access the UTM shell 

    Follow these commands: 

    1. cc
    2. ipsec
    3. connections@
    4. This should print out a list of the existing IPSec connections and their references like this;
      0 'REF_IpsRoaTest' [Test]

    Type "Exit" once you have the connection reference id.

    To actually espdump the connection, run the following command:

    • espdump -n --conn REF_IpsRoaTest -s0 | grep "IPAddress" and use the REF according to the appropriate tunnel.

    Thanks,

  • If the configuration is correct, did you download the new SSL VPN configuration after adding the remote IPsec network under the local network? 

    Yes, and when I check the VPN Client logs and print windows routes, I can see the route to the remote site network using the VPN Gateway. I can somehow reach the remote site's server's IIS webpage. but cannot ping nor see it's mapped network drives which is weird. ( from the LAN network, I can do both )

    The remote site's sysadmin confirmed me that he added the SSL VPN network on their side and that all ports are open, for testing purposes. 

    I will attach logs ASAP. Slight smile

    I must keep my SSL VPN users in a different IP addr network and can't put them in the same LAN network, if I use SNAT, I am basically putting them in the LAN network right? or can I configure in a way that the ICMP and windows file sharing protocoles the traffic is forwarded via the SNAT?

  • FormerMember
    +1 FormerMember in reply to Nick AD

    Hi ,

    You can define the services in the SNAT rule as per your requirement. 

    SNAT rule will change the source IP address from the SSL VPN network to the LAN network; the destination server/application will only see the LAN network as a source.

    Thanks,

  • Salut Nick,

    If you followed How to allow remote access users to reach another site via a Site-to-Site Tunnel, you should have no trouble.  An SNAT should not be needed if the IPsec tunnel and the Remote Access Profile are configured as in that KnowledgeBase article..

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Gretting BAlfson,

    Thank you a lot for looking into my issue,

    Okay, so according to the KB; which seems to correspond my configuration/situation, 

    Here are what is configured so far;

    Site 1 (the Sophos UTM 9 : One that I am administering ) :

    • SSL VPN Remote Access : 'Local Networks' = "Internal (Network / LAN)" and "LAN at Site2" (as you can see in the screenshots)
    •  Site-to-site configuration :
      • "Remote Gateway" "Remote Networks" = "LAN at Site2"
      • "IPsec Connection" "Local Networks" = "Internal (Network / LAN)" and "VPN Pool (SSL)

    Site 2 (a fortigate firewall that is not in my control) has the same configurations. I asked the person in charge to add the VPN SSL Network as a remote network. 

    So far, from a VPN SSL connection, I can reach the http IIS webserver of the remote site's server but I can't ping (which I can do when I am in the LAN network) nor reach it's windows network drives. Cry

    Thank you,

    Cheers. 

  • If you don't see the pings being blocked in your firewall log, Nick, then my guess is a setting in the Fortigate. See 3. in #2 in Rulz (last updated 2021-02-16).

    I'll also guess that the remote Windows server has a setting that blocks your SSL VPN access to the shares, but I would have thought the SNAT suggested by Harsh would have fixed since your Internal network can access the shares.

    Chers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • SNAT

    Okay, So just to update for providing a wonderful KB and helping with the issue, the remote site kept on informing me that everything is open and that there are no IPs/Ports blocked on their site but I was curious to find a workaround. 

    Since the LAN Network already has full access to the remote site, I just put in place a SNAT towards the IPSec and everything is working as expected/needed. Smiley

    Thank you a million times, both  and   HeartClap

    Now, I have another issue, from time to time, the Sophos UTM9 disconnects all my VPN SSL users randomly and reconnects them after  ~ 5 minutes. I went through the VPN SSL logs but couldn't find why? 

    For ex : at 12h00 - 15 vpn connections, at 12h05 - 30 vpn connections and at 12h10 - back to the usual 15 vpn connections.  Disappointed

    ** the issue is that they use a specific application that breaks at each VPN disconnection. Some are not happy Worried

  • Chouette que SNAT ait résolu le problème, Nick !

    One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to a question that's already been answered.  Using an appropriate title, please ask your new question in the VPN forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA