I run a UTM 9 and everything works quite well. But I have a question about a remote access configuration to two different networks over the same remote access connection.
Right now, I have a remote connection to the internal network (A) let’s say 192.168.23.0/24. This is accessible via the Sophos VPN Client and I can connect to the terminal server.
I also have a IPSEC connection to an external network (B) let’s say 10.10.100.0/24. The PC’s and Servers in B are member of the domain network of A and I can ping and RDP them from A.
My goal is to be able to have a remote connection to B as well and can RDP to a server in A and in B.
Sorry German speaker
Can somebody help?
Okay, between A and B there is a IPSEC site-to-site connection.
From Sophos (A) configure the site to site like that this:
The easiest solution is to make sure that network B is also inside the Remote client VPN networks so the VPN client knows to send the traffic to the UTM.
Also in the IPSEC tunnel between A and B the IP-network from the Remote VPN clients should be listed so site B knows to send traffic for your remote ssl clients to site A over the IPSEC connection.
If that is not possible than you can only create an SNAT rule in site A firewall. You must still make sure that site B's network is inside the remote VPN profile and you can create a SNAT rule:
Traffic from: Remote VPN Network PoolGoing to: Site B subnetChange Source to: Internal (Address)
Also make sure to tick 'Rule applies to IPsec packets' under advanced with the NAT rule.
That way you the firewall will change the source address from your remote VPN-users to be not 10.242.x.y but 192.168.23.x and that will travel to the firewall.
Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
I inserted the VPN Pool (SSL) into the local networks of the ipsec connection. Then I inserted a opened a second phase 2 on the other side (opnsense). The tunnel came up and all shows grenn on Sophos.
Then I opened the Sophos VPN client and tried to connect directly to a server on net B. No success. But I still can connect to a server on net A.
Did you also include subnet for site B in "Local networks" for the SSL VPN profile?
Edit: And you should of course also create a firewall rule to allow the traffic from VPN Pool to Site B network.
Yes I did
You may want to also tick 'automatic firewall rules' or manually create a firewall rule to allow the traffic.
Still on success :-(
You may also tick Auto firewall rules on the SSL VPN profile. There's 2 checkboxes, 1 with IPSEC and 1 with SSL VPN.
This is the situation. I took everything back to the original the basic configuration. Perhaps we can start from scratch?
From Net SDL (B) configure the site to site like this:
SSL Remote VPN
Configure the SSL VPN profile on Sophos with the following subnets:
That should at least bring up all the VPN connections. If you tick Automatic firewall rule on both IPSEC and Remote SSL VPN that should also allow all traffic between all the subnets in Sophos.
Check all subnets for non-overlap
You must also check that you have no overlapping subnets, so check:
None of these must overlap otherwise there will be routing issues. If you don't know whether or not there is overlap, than you can put the subnets in use here so we can check for overlap.
Thanks a lot this helped me a lot. Towgether with community.sophos.com/.../utm9-vpn-client-verbindung-mit-mehreren-netzwerken
So connection is established. Only I get a dark screnn :_) But this is another issues now