This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec with multiple subnets

I have recently aquired a sophos firewall at work and I have successfully created a IPSec tunnel with a remote site ( IPSec Site-to-Site ) that is attached to our LAN network.

( Users can connect to this remote site via the LAN network flawlessly )

After the pandemic, most of the users are remote working and now using a VPN SSL connection ( which I assigned them to a different IP addrerss pool ) to connect to the LAN network and use a printer or other any other local servers.

My boss has asked me to allow these remote working users to access the previously mentioned remote site that are using the VPN SSL.

So, I added the VPN SSL network with automatic firewall rules under the "Local Networks" in the IPSec Site-to-Site VPN and added the VPN SSL network in the remote site firewall as well.

I can access the remote site's IIS7 webpage but can't ping nor see it's network mapped drives.

My guess is that there is a firewall rule or a filter that is messing up something. 

I looked into some older forums/answers that mentions SNAT,

Can anyone help me? 

Thanks!!

Edit- The Sophos Firewall is a UTM 9



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community! 

    Go to Network Protection > NAT > New NAT Rule > Select type as SNAT

    • For traffic from: VPN Pool (SSL)
    • Using services: Any
    • Going to: Remote IPsec network

    Action: 

    • Change the source to Internal(Address) >> IP address of the LAN interface.

    Reference screenshot:

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community! 

    Go to Network Protection > NAT > New NAT Rule > Select type as SNAT

    • For traffic from: VPN Pool (SSL)
    • Using services: Any
    • Going to: Remote IPsec network

    Action: 

    • Change the source to Internal(Address) >> IP address of the LAN interface.

    Reference screenshot:

    Thanks,

Children
  • Hello H_Patel, thank you for replying, 

    I will provide more screen shots to help with my issue,

    • IPSec firewall rules that are created automatically
    • IPSec Connection setup
    • SSL VPN Connection setup

    Thanks once again for your help!! 

  • FormerMember
    0 FormerMember in reply to Nick AD

    Hi ,

    Thanks for providing the screenshots. 

    If the configuration is correct, did you download the new SSL VPN configuration after adding the remote IPsec network under the local network? 

    I would suggest you run a packet capture (tcpdump) on the firewall on a destination IP address and espdump.

    SSH into UTM by following this KBA and switch to the root user: Access the UTM shell 

    Follow these commands: 

    1. cc
    2. ipsec
    3. connections@
    4. This should print out a list of the existing IPSec connections and their references like this;
      0 'REF_IpsRoaTest' [Test]

    Type "Exit" once you have the connection reference id.

    To actually espdump the connection, run the following command:

    • espdump -n --conn REF_IpsRoaTest -s0 | grep "IPAddress" and use the REF according to the appropriate tunnel.

    Thanks,

  • If the configuration is correct, did you download the new SSL VPN configuration after adding the remote IPsec network under the local network? 

    Yes, and when I check the VPN Client logs and print windows routes, I can see the route to the remote site network using the VPN Gateway. I can somehow reach the remote site's server's IIS webpage. but cannot ping nor see it's mapped network drives which is weird. ( from the LAN network, I can do both )

    The remote site's sysadmin confirmed me that he added the SSL VPN network on their side and that all ports are open, for testing purposes. 

    I will attach logs ASAP. Slight smile

    I must keep my SSL VPN users in a different IP addr network and can't put them in the same LAN network, if I use SNAT, I am basically putting them in the LAN network right? or can I configure in a way that the ICMP and windows file sharing protocoles the traffic is forwarded via the SNAT?

  • FormerMember
    +1 FormerMember in reply to Nick AD

    Hi ,

    You can define the services in the SNAT rule as per your requirement. 

    SNAT rule will change the source IP address from the SSL VPN network to the LAN network; the destination server/application will only see the LAN network as a source.

    Thanks,