This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN/UTM Routing to Internal Gateway

Hi all,

 

I'm trying to set-up routing on the Sophos UTM so it can ping a server at our US site. I can see through the tracert on the UTM that it's using the external gateway address, whereas I need it to use our internal gateway as that also hosts our site-to-site VPN. 

Is there any way I can do this? 

Any help would be appreciated. 


Regards,

 

Rob



This thread was automatically locked due to age.
Parents
  • Try to add a gateway-route within UTM.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • That can be done, Dirk, but it would require binding the tunnel to a specific WAN connection.  Even then, I'm not sure the configuration daemon would build the right rules to be able to reach the public IP.  I've had problems with that in the past.

    I'd be interested in knowing if Dirk's idea would work without binding the tunnel to the WAN interface if the route were a Gateway Route like '{remote public IP} via {remote IP on the LAN interface in the tunnel}'.

    Rob, if your goal is just to see if the tunnel is functioning, why not ping the IP on the LAN interface of the other tunnel endpoint?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Basically, I'm having issues with our SSL VPN where clients can't connect to our US infrastructure. The site to site VPN is hosted on a Linux box called IPCop. 

    I need the route from the client to go to the UTM first (which is configured and working correctly), and then have that route to IPCop, which then sends it across to the US. Unfortunately it seems the middle part isn't working - I can't ping anything in the US from our UTM. Every time I do it seems to use the external gateway first, instead of the internal gateway. 

    So, I've now added a default gateway IP in the internal interface (which has in turn enabled Uplink Balancing). I've also enabled a gateway static route to say the internal network should be routed via IPCop. Still, this doesn't seem to have worked as I can't ping/tracert to the US servers. Is there anything else I can try? 

  • Rob, please make a simple text diagram that shows the UTM, IPCop and other devices involved in one test.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  You'll have to forgive me for the poor diagram... it was done quickly on an iPhone whilst on the train. Hopefully this gives you enough insight, though :) If you need any more detail, please let me know. 

     

Reply Children
  • Can you not just create a static route in the UK Sophos UTM where you define to reach the US subnet through the IPCOP IP-address (so use IPCOP as router for the US subnet)?

    You would have to also include the VPN Clients subnet (from UK) in the Site-to-site tunnel between IPCOP and UTM (US) so UTM US knows where to send back traffic to the UK.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for that - I can confirm the UTM can now ping the US subnet via IPCOP (I had put the UK internal network in the static route Network section, thinking that would mean any traffic from the Internal network would be routed via IPCop. I had to remove it and put in the US network so it's basically saying any traffic intended for the US network would be routed via IPCop). Slight misconfiguration on my part... 

    However, the VPN clients still can't connect to the US network. I've checked the Site-to-Site tunnel between IPCop and the UTM (US). The US side has the UK subnet (10.1.0.0) under the Remote Gateway - Remote Networks section. 

  • The site-to-site connection would also need to know about the VPN-client subnet range otherwise it will not be routed over this connection.

    Another option could be to create an SNAT rule where you translate the VPN-client subnet to the Internal network (which subnet already is in the site-to-site tunnel).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • "The US side has the UK subnet (10.1.0.0) under the Remote Gateway - Remote Networks section." 

    I forgot to mention that the SSL VPN subnet is 10.1.17.0, so the S2S VPN connection should already know about it. 

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for this, although after having gone through the configuration it's still a no go. 

    To summarise:

    UK Site:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    Sophos UTM: 10.1.0.20 or for SSL VPN: 10.1.17.1

    IP COP: 10.1.7.254 

     

    US site: 

    LAN = 10.2.0.0/21

    Sophos UTM: 10.2.7.254

     

    I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP. 

    When pinging something on the US network from one of the SSL VPN clients, I receive "Reply from 10.1.17.1: Destination host unreachable." So it seems like the UK UTM is not routing the VPN traffic to IP COP. 

    Are there any logs I could go through to check what's happening? I've taken a look at the firewall and ssl vpn logs to no avail. 

    I can confirm I've been through the following link (https://community.sophos.com/kb/hu-hu/115734). 

    In the site to site configuration for the US site, the UK LAN subnet is listed. I don't believe there's any need to add the SSL VPN pool separately as it falls under the same subnet. 

    It's the same thing for the IP COP S2S configuration - the SSL VPN pool falls under the UK subnet, so there's no need to add it in separately. 

     

    Thanks for your help and patience so far :) 

    Hopefully we'll get to the bottom of this soon... 

  • "I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP."

    I'm getting lost again, Rob.  I thought there was a VPN between the UTM and the US office.  If that's the case, your manual route could be causing a problem.  It shouldn't even be considered though.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, if you take a look at my diagram it's IP COP hosting the S2S VPN on the UK side going to the US UTM. 

  • Can it be that IPCOP cannot route to 10.1.17.0/24?
    IPCOP is 10.1.7.254/16 so for IPCOP 10.1.17.0/24 is the same network so it will only do a arp request (who has 10.1.17.x, tell 10.1.7.254) while it should route it to Sophos as a next hop?

    I believe the problem is in the overlapping subnets.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Rob, you said:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    I didn't see this until apijnappels mentioned it - he nailed it.  Your overlapping subnet is the problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA