This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN/UTM Routing to Internal Gateway

Hi all,

 

I'm trying to set-up routing on the Sophos UTM so it can ping a server at our US site. I can see through the tracert on the UTM that it's using the external gateway address, whereas I need it to use our internal gateway as that also hosts our site-to-site VPN. 

Is there any way I can do this? 

Any help would be appreciated. 


Regards,

 

Rob



This thread was automatically locked due to age.
Parents
  • Try to add a gateway-route within UTM.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • That can be done, Dirk, but it would require binding the tunnel to a specific WAN connection.  Even then, I'm not sure the configuration daemon would build the right rules to be able to reach the public IP.  I've had problems with that in the past.

    I'd be interested in knowing if Dirk's idea would work without binding the tunnel to the WAN interface if the route were a Gateway Route like '{remote public IP} via {remote IP on the LAN interface in the tunnel}'.

    Rob, if your goal is just to see if the tunnel is functioning, why not ping the IP on the LAN interface of the other tunnel endpoint?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The site-to-site connection would also need to know about the VPN-client subnet range otherwise it will not be routed over this connection.

    Another option could be to create an SNAT rule where you translate the VPN-client subnet to the Internal network (which subnet already is in the site-to-site tunnel).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • "The US side has the UK subnet (10.1.0.0) under the Remote Gateway - Remote Networks section." 

    I forgot to mention that the SSL VPN subnet is 10.1.17.0, so the S2S VPN connection should already know about it. 

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for this, although after having gone through the configuration it's still a no go. 

    To summarise:

    UK Site:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    Sophos UTM: 10.1.0.20 or for SSL VPN: 10.1.17.1

    IP COP: 10.1.7.254 

     

    US site: 

    LAN = 10.2.0.0/21

    Sophos UTM: 10.2.7.254

     

    I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP. 

    When pinging something on the US network from one of the SSL VPN clients, I receive "Reply from 10.1.17.1: Destination host unreachable." So it seems like the UK UTM is not routing the VPN traffic to IP COP. 

    Are there any logs I could go through to check what's happening? I've taken a look at the firewall and ssl vpn logs to no avail. 

    I can confirm I've been through the following link (https://community.sophos.com/kb/hu-hu/115734). 

    In the site to site configuration for the US site, the UK LAN subnet is listed. I don't believe there's any need to add the SSL VPN pool separately as it falls under the same subnet. 

    It's the same thing for the IP COP S2S configuration - the SSL VPN pool falls under the UK subnet, so there's no need to add it in separately. 

     

    Thanks for your help and patience so far :) 

    Hopefully we'll get to the bottom of this soon... 

  • "I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP."

    I'm getting lost again, Rob.  I thought there was a VPN between the UTM and the US office.  If that's the case, your manual route could be causing a problem.  It shouldn't even be considered though.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, if you take a look at my diagram it's IP COP hosting the S2S VPN on the UK side going to the US UTM. 

  • Can it be that IPCOP cannot route to 10.1.17.0/24?
    IPCOP is 10.1.7.254/16 so for IPCOP 10.1.17.0/24 is the same network so it will only do a arp request (who has 10.1.17.x, tell 10.1.7.254) while it should route it to Sophos as a next hop?

    I believe the problem is in the overlapping subnets.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Rob, you said:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    I didn't see this until apijnappels mentioned it - he nailed it.  Your overlapping subnet is the problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the reply and suggestion but IPCOP can route to 10.1.17.0/24. 

    The SSL VPN pool is designed to be in the same network as the UK subnet to make the routing easier for IPCOP. The SSL VPN pool should be working in the same fashion as an internal user within the UK office. 

    For example, I have IP 10.1.4.2/21 and I can ping/connect to the US network (10.2.1.1/21) perfectly fine. The SSL VPN pool has 10.1.17.0/24 so it should fit within the scope to forward the packets across to the US network if the destination address is 10.2.x.x/21.  

    We're going to be retiring IPCop anyway, so I think I'll transfer the Site to Site VPN over to our UTM and hopefully that will resolve the issue. 

  • Please let us know if your tests show that the UTM still causes problems with routing because it won't answer an ARP request for an IP in a remote access subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Please let us know if your tests show that the UTM still causes problems with routing because it won't answer an ARP request for an IP in a remote access subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data