Hi all,
I'm trying to set-up routing on the Sophos UTM so it can ping a server at our US site. I can see through the tracert on the UTM that it's using the external gateway address, whereas I need it to use our internal gateway as that also hosts our site-to-site VPN.
Is there any way I can do this?
Any help would be appreciated.
Regards,
Rob
That can be done, Dirk, but it would require binding the tunnel to a specific WAN connection. Even then, I'm not sure the configuration daemon would build the right rules to be able to reach the public IP. I've had problems with that in the past.
I'd be interested in knowing if Dirk's idea would work without binding the tunnel to the WAN interface if the route were a Gateway Route like '{remote public IP} via {remote IP on the LAN interface in the tunnel}'.
Rob, if your goal is just to see if the tunnel is functioning, why not ping the IP on the LAN interface of the other tunnel endpoint?
Cheers - Bob
Thanks for this, although after having gone through the configuration it's still a no go.
To summarise:
UK Site:
LAN = 10.1.0.0/16
SSL VPN POOL = 10.1.17.0/24
Sophos UTM: 10.1.0.20 or for SSL VPN: 10.1.17.1
IP COP: 10.1.7.254
US site:
LAN = 10.2.0.0/21
Sophos UTM: 10.2.7.254
I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP.
When pinging something on the US network from one of the SSL VPN clients, I receive "Reply from 10.1.17.1: Destination host unreachable." So it seems like the UK UTM is not routing the VPN traffic to IP COP.
Are there any logs I could go through to check what's happening? I've taken a look at the firewall and ssl vpn logs to no avail.
I can confirm I've been through the following link (https://community.sophos.com/kb/hu-hu/115734).
In the site to site configuration for the US site, the UK LAN subnet is listed. I don't believe there's any need to add the SSL VPN pool separately as it falls under the same subnet.
It's the same thing for the IP COP S2S configuration - the SSL VPN pool falls under the UK subnet, so there's no need to add it in separately.
Thanks for your help and patience so far :)
Hopefully we'll get to the bottom of this soon...
"I've set up a static route on the UK UTM to say any going to the US LAN should be routed via IP COP."
I'm getting lost again, Rob. I thought there was a VPN between the UTM and the US office. If that's the case, your manual route could be causing a problem. It shouldn't even be considered though.
Cheers - Bob
Can it be that IPCOP cannot route to 10.1.17.0/24?
IPCOP is 10.1.7.254/16 so for IPCOP 10.1.17.0/24 is the same network so it will only do a arp request (who has 10.1.17.x, tell 10.1.7.254) while it should route it to Sophos as a next hop?
I believe the problem is in the overlapping subnets.
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Rob, you said:
LAN = 10.1.0.0/16
SSL VPN POOL = 10.1.17.0/24
I didn't see this until apijnappels mentioned it - he nailed it. Your overlapping subnet is the problem.
Cheers - Bob
Thanks for the reply and suggestion but IPCOP can route to 10.1.17.0/24.
The SSL VPN pool is designed to be in the same network as the UK subnet to make the routing easier for IPCOP. The SSL VPN pool should be working in the same fashion as an internal user within the UK office.
For example, I have IP 10.1.4.2/21 and I can ping/connect to the US network (10.2.1.1/21) perfectly fine. The SSL VPN pool has 10.1.17.0/24 so it should fit within the scope to forward the packets across to the US network if the destination address is 10.2.x.x/21.
We're going to be retiring IPCop anyway, so I think I'll transfer the Site to Site VPN over to our UTM and hopefully that will resolve the issue.
Please let us know if your tests show that the UTM still causes problems with routing because it won't answer an ARP request for an IP in a remote access subnet.
Cheers - Bob
Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0 and thus will only use ARP to learn the MAC-address of the client. However Sophos UTM is in between and will not pass ARP-requests.
Try to make a static route on IPCOP for 10.1.17.0/24 through gateway 10.1.0.20. Then it might just work.
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Thanks for the explanation! I've put in the routing but often with IPCOP you need to restart it for the changes to take effect. As such, I'll restart it tonight out of hours and test the configuration tomorrow.
Unfortunately, that hasn't worked after restating IPCOP last night.
Also, looking over your comment again there may be some confusion as I'm trying to get the UK side to send to the US. Everything on the UK side is 10.1.x.x and everything on the US side is 10.2.x.x
apijnappels said:Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0...
I need the UK site to send the SSL-VPN subnet to the US, not the other way around. I wonder if that changes the routing suggestion you asked me to do?
Unfortunately, that hasn't worked after restating IPCOP last night.
Also, looking over your comment again there may be some confusion as I'm trying to get the UK side to send to the US. Everything on the UK side is 10.1.x.x and everything on the US side is 10.2.x.x
apijnappels said:Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0...
I need the UK site to send the SSL-VPN subnet to the US, not the other way around. I wonder if that changes the routing suggestion you asked me to do?
For the routing to work both sites need to know how to route to the other site.
Do you also have a route in the Sophos UK site for 10.2.0.0/21 (US subnet)? It should send this to gateway 10.1.7.254 (IPCOP).
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Yep, I added that a while ago as a gateway route.
The traceroute still shows that the connection stops at the UTM (10.1.17.1).
In that case I'm afraid your overlapping subnet might be the reason that traffic is not properly routed.
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Yes, it appears that my guess above was correct - this is still an issue with the UTM not responding to ARP requests for IPs in VPN Pools. A quick test (and Band-Aid) to demonstrate that this is the problem would be to masq "VPN Pool (SSL)" with the IP on the UTM.
Cheers - Bob
