This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN from Site A to Site B via RED

Luiz Fernando de Carvalho Oliveira over 3 years ago

Hello,

I have two sites (Site A and Site B) that are connected via RED. "RED # 5
Both sites have connectivity and can reach each other's network.

My problem is that my SSL VPN (for Site A) can access resources on Site A, but cannot access anything on Site B.

Site A

Network 192.168.0.0
SSl Network 10.81.234.0

Site B

Network 192.168.40.0
SSl Network 10.81.237.0

Within the Vpn SSl Settings, I left the following access

Allowed network resources (IPv4)
RED # 5

Is it a firewall problem and am I simply setting the wrong rules? Or is this something with the VPN configuration itself?

Thank you.

This thread was automatically locked due to age.

0 Luiz Fernando de Carvalho Oliveira over 3 years ago in reply to dirkkotte

ok,

route 192.168.40.0/32 add

is correct?

generated the following connection log

Mon Feb 08 11:54:37 2021 C:\Windows\system32\route.exe ADD 189.1.167.218 MASK 255.255.255.255 192.168.68.1
Mon Feb 08 11:54:37 2021 Route addition via service succeeded
Mon Feb 08 11:54:37 2021 C:\Windows\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.81.234.50
Mon Feb 08 11:54:37 2021 Route addition via service succeeded
Mon Feb 08 11:54:37 2021 C:\Windows\system32\route.exe ADD 192.168.20.0 MASK 255.255.255.0 10.81.234.50
Mon Feb 08 11:54:37 2021 Route addition via service succeeded
Mon Feb 08 11:54:37 2021 C:\Windows\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 10.81.234.50
Mon Feb 08 11:54:37 2021 Route addition via service succeeded
Mon Feb 08 11:54:37 2021 C:\Windows\system32\route.exe ADD 192.168.40.0 MASK 255.255.255.255 10.81.234.50
Mon Feb 08 11:54:37 2021 Route addition via service succeeded
Mon Feb 08 11:54:37 2021 C:\Windows\system32\route.exe ADD 189.1.167.218 MASK 255.255.255.255 192.168.68.1
Mon Feb 08 11:54:37 2021 ROUTE: route addition failed using service: O objeto já existe. [status=5010 if_index=3]
Mon Feb 08 11:54:37 2021 Route addition via service failed
Mon Feb 08 11:54:37 2021 Initialization Sequence Completed
Mon Feb 08 11:54:37 2021 MANAGEMENT: >STATE:1612796077,CONNECTED,SUCCESS,10.81.234.52,189.1.167.218,8443,192.168.68.114,63511
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Luiz Fernando de Carvalho Oliveira

NO.

Subnet-mask 255.255.255.255 (or /32) describes a single Host only.

I think you need 255.255.255.0 (or /24) ... depending from your network at side B

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Luiz Fernando de Carvalho Oliveira over 3 years ago in reply to dirkkotte
OK.

Mon Feb 08 14:00:29 2021 C:\Windows\system32\route.exe ADD 192.168.40.0 MASK 255.255.255.0 10.81.234.50
Mon Feb 08 14:00:29 2021 Route addition via service succeeded

right?
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Luiz Fernando de Carvalho Oliveira

looks better.
does it work?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Luiz Fernando de Carvalho Oliveira over 3 years ago in reply to dirkkotte

does not work. :(
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 3 years ago in reply to Luiz Fernando de Carvalho Oliveira

The routing entries in your vpn config derive from the local networks you define for this vpn profile on your UTM. If you try to ghange this locally on your pc client, that will fail. You should change your central config on the UTM.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 3 years ago in reply to Luiz Fernando de Carvalho Oliveira

In your firewall rule the destination zone for all networks is LAN.
I'm not sure, but I would assume at least some of them would be VPN.

You may try to change destination zone to LAN and VPN (or even ANY) and see if that makes a change.

Also make sure to have the SSL VPN network from site A inside the RED tunnel between site A and site B.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Luiz Fernando de Carvalho Oliveira

Olá Luiz,

You've got good guys advising you here. You might also take a look at How to allow remote access users to reach another site via a Site-to-Site Tunnel. Doing this with a RED tunnel connection instead of a regular site-to-site VPN is much more complicated.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel