This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN/UTM Routing to Internal Gateway

Hi all,

 

I'm trying to set-up routing on the Sophos UTM so it can ping a server at our US site. I can see through the tracert on the UTM that it's using the external gateway address, whereas I need it to use our internal gateway as that also hosts our site-to-site VPN. 

Is there any way I can do this? 

Any help would be appreciated. 


Regards,

 

Rob



This thread was automatically locked due to age.
Parents
  • Try to add a gateway-route within UTM.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • That can be done, Dirk, but it would require binding the tunnel to a specific WAN connection.  Even then, I'm not sure the configuration daemon would build the right rules to be able to reach the public IP.  I've had problems with that in the past.

    I'd be interested in knowing if Dirk's idea would work without binding the tunnel to the WAN interface if the route were a Gateway Route like '{remote public IP} via {remote IP on the LAN interface in the tunnel}'.

    Rob, if your goal is just to see if the tunnel is functioning, why not ping the IP on the LAN interface of the other tunnel endpoint?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Basically, I'm having issues with our SSL VPN where clients can't connect to our US infrastructure. The site to site VPN is hosted on a Linux box called IPCop. 

    I need the route from the client to go to the UTM first (which is configured and working correctly), and then have that route to IPCop, which then sends it across to the US. Unfortunately it seems the middle part isn't working - I can't ping anything in the US from our UTM. Every time I do it seems to use the external gateway first, instead of the internal gateway. 

    So, I've now added a default gateway IP in the internal interface (which has in turn enabled Uplink Balancing). I've also enabled a gateway static route to say the internal network should be routed via IPCop. Still, this doesn't seem to have worked as I can't ping/tracert to the US servers. Is there anything else I can try? 

  • Rob, please make a simple text diagram that shows the UTM, IPCop and other devices involved in one test.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  You'll have to forgive me for the poor diagram... it was done quickly on an iPhone whilst on the train. Hopefully this gives you enough insight, though :) If you need any more detail, please let me know. 

     

  • Can you not just create a static route in the UK Sophos UTM where you define to reach the US subnet through the IPCOP IP-address (so use IPCOP as router for the US subnet)?

    You would have to also include the VPN Clients subnet (from UK) in the Site-to-site tunnel between IPCOP and UTM (US) so UTM US knows where to send back traffic to the UK.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for that - I can confirm the UTM can now ping the US subnet via IPCOP (I had put the UK internal network in the static route Network section, thinking that would mean any traffic from the Internal network would be routed via IPCop. I had to remove it and put in the US network so it's basically saying any traffic intended for the US network would be routed via IPCop). Slight misconfiguration on my part... 

    However, the VPN clients still can't connect to the US network. I've checked the Site-to-Site tunnel between IPCop and the UTM (US). The US side has the UK subnet (10.1.0.0) under the Remote Gateway - Remote Networks section. 

  • The site-to-site connection would also need to know about the VPN-client subnet range otherwise it will not be routed over this connection.

    Another option could be to create an SNAT rule where you translate the VPN-client subnet to the Internal network (which subnet already is in the site-to-site tunnel).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • "The US side has the UK subnet (10.1.0.0) under the Remote Gateway - Remote Networks section." 

    I forgot to mention that the SSL VPN subnet is 10.1.17.0, so the S2S VPN connection should already know about it. 

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for this, although after having gone through the configuration it's still a no go. 

    To summarise:

    UK Site:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    Sophos UTM: 10.1.0.20 or for SSL VPN: 10.1.17.1

    IP COP: 10.1.7.254 

     

    US site: 

    LAN = 10.2.0.0/21

    Sophos UTM: 10.2.7.254

     

    I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP. 

    When pinging something on the US network from one of the SSL VPN clients, I receive "Reply from 10.1.17.1: Destination host unreachable." So it seems like the UK UTM is not routing the VPN traffic to IP COP. 

    Are there any logs I could go through to check what's happening? I've taken a look at the firewall and ssl vpn logs to no avail. 

    I can confirm I've been through the following link (https://community.sophos.com/kb/hu-hu/115734). 

    In the site to site configuration for the US site, the UK LAN subnet is listed. I don't believe there's any need to add the SSL VPN pool separately as it falls under the same subnet. 

    It's the same thing for the IP COP S2S configuration - the SSL VPN pool falls under the UK subnet, so there's no need to add it in separately. 

     

    Thanks for your help and patience so far :) 

    Hopefully we'll get to the bottom of this soon... 

  • "I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP."

    I'm getting lost again, Rob.  I thought there was a VPN between the UTM and the US office.  If that's the case, your manual route could be causing a problem.  It shouldn't even be considered though.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • "I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP."

    I'm getting lost again, Rob.  I thought there was a VPN between the UTM and the US office.  If that's the case, your manual route could be causing a problem.  It shouldn't even be considered though.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • No, if you take a look at my diagram it's IP COP hosting the S2S VPN on the UK side going to the US UTM. 

  • Can it be that IPCOP cannot route to 10.1.17.0/24?
    IPCOP is 10.1.7.254/16 so for IPCOP 10.1.17.0/24 is the same network so it will only do a arp request (who has 10.1.17.x, tell 10.1.7.254) while it should route it to Sophos as a next hop?

    I believe the problem is in the overlapping subnets.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Rob, you said:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    I didn't see this until apijnappels mentioned it - he nailed it.  Your overlapping subnet is the problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the reply and suggestion but IPCOP can route to 10.1.17.0/24. 

    The SSL VPN pool is designed to be in the same network as the UK subnet to make the routing easier for IPCOP. The SSL VPN pool should be working in the same fashion as an internal user within the UK office. 

    For example, I have IP 10.1.4.2/21 and I can ping/connect to the US network (10.2.1.1/21) perfectly fine. The SSL VPN pool has 10.1.17.0/24 so it should fit within the scope to forward the packets across to the US network if the destination address is 10.2.x.x/21.  

    We're going to be retiring IPCop anyway, so I think I'll transfer the Site to Site VPN over to our UTM and hopefully that will resolve the issue. 

  • Please let us know if your tests show that the UTM still causes problems with routing because it won't answer an ARP request for an IP in a remote access subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0 and thus will only use ARP to learn the MAC-address of the client. However Sophos UTM is in between and will not pass ARP-requests.

    Try to make a static route on IPCOP for 10.1.17.0/24 through gateway 10.1.0.20. Then it might just work.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for the explanation! I've put in the routing but often with IPCOP you need to restart it for the changes to take effect. As such, I'll restart it tonight out of hours and test the configuration tomorrow. 

  • Unfortunately, that hasn't worked after restating IPCOP last night. 

    Also, looking over your comment again there may be some confusion as I'm trying to get the UK side to send to the US. Everything on the UK side is 10.1.x.x and everything on the US side is 10.2.x.x

    apijnappels said:

    Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0...

     

    I need the UK site to send the SSL-VPN subnet to the US, not the other way around. I wonder if that changes the routing suggestion you asked me to do? 

  • For the routing to work both sites need to know how to route to the other site.

    Do you also have a route in the Sophos UK site for 10.2.0.0/21 (US subnet)? It should send this to gateway 10.1.7.254  (IPCOP).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yep, I added that a while ago as a gateway route. 

    The traceroute still shows that the connection stops at the UTM (10.1.17.1).