This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec with multiple subnets

I have recently aquired a sophos firewall at work and I have successfully created a IPSec tunnel with a remote site ( IPSec Site-to-Site ) that is attached to our LAN network.

( Users can connect to this remote site via the LAN network flawlessly )

After the pandemic, most of the users are remote working and now using a VPN SSL connection ( which I assigned them to a different IP addrerss pool ) to connect to the LAN network and use a printer or other any other local servers.

My boss has asked me to allow these remote working users to access the previously mentioned remote site that are using the VPN SSL.

So, I added the VPN SSL network with automatic firewall rules under the "Local Networks" in the IPSec Site-to-Site VPN and added the VPN SSL network in the remote site firewall as well.

I can access the remote site's IIS7 webpage but can't ping nor see it's network mapped drives.

My guess is that there is a firewall rule or a filter that is messing up something. 

I looked into some older forums/answers that mentions SNAT,

Can anyone help me? 

Thanks!!

Edit- The Sophos Firewall is a UTM 9



This thread was automatically locked due to age.
Parents
  • Salut Nick,

    If you followed How to allow remote access users to reach another site via a Site-to-Site Tunnel, you should have no trouble.  An SNAT should not be needed if the IPsec tunnel and the Remote Access Profile are configured as in that KnowledgeBase article..

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Gretting BAlfson,

    Thank you a lot for looking into my issue,

    Okay, so according to the KB; which seems to correspond my configuration/situation, 

    Here are what is configured so far;

    Site 1 (the Sophos UTM 9 : One that I am administering ) :

    • SSL VPN Remote Access : 'Local Networks' = "Internal (Network / LAN)" and "LAN at Site2" (as you can see in the screenshots)
    •  Site-to-site configuration :
      • "Remote Gateway" "Remote Networks" = "LAN at Site2"
      • "IPsec Connection" "Local Networks" = "Internal (Network / LAN)" and "VPN Pool (SSL)

    Site 2 (a fortigate firewall that is not in my control) has the same configurations. I asked the person in charge to add the VPN SSL Network as a remote network. 

    So far, from a VPN SSL connection, I can reach the http IIS webserver of the remote site's server but I can't ping (which I can do when I am in the LAN network) nor reach it's windows network drives. Cry

    Thank you,

    Cheers. 

Reply
  • Gretting BAlfson,

    Thank you a lot for looking into my issue,

    Okay, so according to the KB; which seems to correspond my configuration/situation, 

    Here are what is configured so far;

    Site 1 (the Sophos UTM 9 : One that I am administering ) :

    • SSL VPN Remote Access : 'Local Networks' = "Internal (Network / LAN)" and "LAN at Site2" (as you can see in the screenshots)
    •  Site-to-site configuration :
      • "Remote Gateway" "Remote Networks" = "LAN at Site2"
      • "IPsec Connection" "Local Networks" = "Internal (Network / LAN)" and "VPN Pool (SSL)

    Site 2 (a fortigate firewall that is not in my control) has the same configurations. I asked the person in charge to add the VPN SSL Network as a remote network. 

    So far, from a VPN SSL connection, I can reach the http IIS webserver of the remote site's server but I can't ping (which I can do when I am in the LAN network) nor reach it's windows network drives. Cry

    Thank you,

    Cheers. 

Children
  • If you don't see the pings being blocked in your firewall log, Nick, then my guess is a setting in the Fortigate. See 3. in #2 in Rulz (last updated 2021-02-16).

    I'll also guess that the remote Windows server has a setting that blocks your SSL VPN access to the shares, but I would have thought the SNAT suggested by Harsh would have fixed since your Internal network can access the shares.

    Chers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • SNAT

    Okay, So just to update for providing a wonderful KB and helping with the issue, the remote site kept on informing me that everything is open and that there are no IPs/Ports blocked on their site but I was curious to find a workaround. 

    Since the LAN Network already has full access to the remote site, I just put in place a SNAT towards the IPSec and everything is working as expected/needed. Smiley

    Thank you a million times, both  and   HeartClap

    Now, I have another issue, from time to time, the Sophos UTM9 disconnects all my VPN SSL users randomly and reconnects them after  ~ 5 minutes. I went through the VPN SSL logs but couldn't find why? 

    For ex : at 12h00 - 15 vpn connections, at 12h05 - 30 vpn connections and at 12h10 - back to the usual 15 vpn connections.  Disappointed

    ** the issue is that they use a specific application that breaks at each VPN disconnection. Some are not happy Worried

  • Chouette que SNAT ait résolu le problème, Nick !

    One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to a question that's already been answered.  Using an appropriate title, please ask your new question in the VPN forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA