This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN/UTM Routing to Internal Gateway

Hi all,

 

I'm trying to set-up routing on the Sophos UTM so it can ping a server at our US site. I can see through the tracert on the UTM that it's using the external gateway address, whereas I need it to use our internal gateway as that also hosts our site-to-site VPN. 

Is there any way I can do this? 

Any help would be appreciated. 


Regards,

 

Rob



This thread was automatically locked due to age.
Parents
  • Try to add a gateway-route within UTM.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • That can be done, Dirk, but it would require binding the tunnel to a specific WAN connection.  Even then, I'm not sure the configuration daemon would build the right rules to be able to reach the public IP.  I've had problems with that in the past.

    I'd be interested in knowing if Dirk's idea would work without binding the tunnel to the WAN interface if the route were a Gateway Route like '{remote public IP} via {remote IP on the LAN interface in the tunnel}'.

    Rob, if your goal is just to see if the tunnel is functioning, why not ping the IP on the LAN interface of the other tunnel endpoint?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, if you take a look at my diagram it's IP COP hosting the S2S VPN on the UK side going to the US UTM. 

  • Can it be that IPCOP cannot route to 10.1.17.0/24?
    IPCOP is 10.1.7.254/16 so for IPCOP 10.1.17.0/24 is the same network so it will only do a arp request (who has 10.1.17.x, tell 10.1.7.254) while it should route it to Sophos as a next hop?

    I believe the problem is in the overlapping subnets.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Rob, you said:

    LAN = 10.1.0.0/16

    SSL VPN POOL = 10.1.17.0/24

    I didn't see this until apijnappels mentioned it - he nailed it.  Your overlapping subnet is the problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the reply and suggestion but IPCOP can route to 10.1.17.0/24. 

    The SSL VPN pool is designed to be in the same network as the UK subnet to make the routing easier for IPCOP. The SSL VPN pool should be working in the same fashion as an internal user within the UK office. 

    For example, I have IP 10.1.4.2/21 and I can ping/connect to the US network (10.2.1.1/21) perfectly fine. The SSL VPN pool has 10.1.17.0/24 so it should fit within the scope to forward the packets across to the US network if the destination address is 10.2.x.x/21.  

    We're going to be retiring IPCop anyway, so I think I'll transfer the Site to Site VPN over to our UTM and hopefully that will resolve the issue. 

  • Please let us know if your tests show that the UTM still causes problems with routing because it won't answer an ARP request for an IP in a remote access subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0 and thus will only use ARP to learn the MAC-address of the client. However Sophos UTM is in between and will not pass ARP-requests.

    Try to make a static route on IPCOP for 10.1.17.0/24 through gateway 10.1.0.20. Then it might just work.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for the explanation! I've put in the routing but often with IPCOP you need to restart it for the changes to take effect. As such, I'll restart it tonight out of hours and test the configuration tomorrow. 

  • Unfortunately, that hasn't worked after restating IPCOP last night. 

    Also, looking over your comment again there may be some confusion as I'm trying to get the UK side to send to the US. Everything on the UK side is 10.1.x.x and everything on the US side is 10.2.x.x

    apijnappels said:

    Hello Rob, Your US site does indeed know to send the SSL-VPN subnet to the UK (because 10.1.17.0/24 is included in 10.1.0.0/16 BUT.... IPCOP thinks 10.1.17.0 is just in the same subnet as 10.1.0.0...

     

    I need the UK site to send the SSL-VPN subnet to the US, not the other way around. I wonder if that changes the routing suggestion you asked me to do? 

  • For the routing to work both sites need to know how to route to the other site.

    Do you also have a route in the Sophos UK site for 10.2.0.0/21 (US subnet)? It should send this to gateway 10.1.7.254  (IPCOP).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yep, I added that a while ago as a gateway route. 

    The traceroute still shows that the connection stops at the UTM (10.1.17.1). 

Reply Children
  • In that case I'm afraid your overlapping subnet might be the reason that traffic is not properly routed.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yes, it appears that my guess above was correct - this is still an issue with the UTM not responding to ARP requests for IPs in VPN Pools.  A quick test (and Band-Aid) to demonstrate that this is the problem would be to masq "VPN Pool (SSL)" with the IP on the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA