Multiple VPNs with Single VPN client

I'm sorry, Vibhor, but I can't "see" your topology.  Are you logging into the SSL VPN on different UTMs in AWS or just other instances that also offer an OpenVPN connection?  Why do you have to disconnect from one VPN to go to another?  Why did you mention that there are no overlapping subnets in your combined VPCs?

Cheers - Bob

Hi Bob,

Hope you are doing good. 

1.   Are you logging into the SSL VPN on different UTMs in AWS   => I 'm logging to different SSL VPNs in different AWS accounts/VPCs for different projects/customers

2.   Why do you have to disconnect from one VPN to go to another  => To access hosts in one VPC to other i have to move/login to the respective VPN  which i can do only one at the moment

3.   Why did you mention that there are no overlapping subnets in your combined VPCs?  =>   All VPC's CIDRs are non-overlapping  so in case we have to do VPC peering thats why i mentioned none of the VPC has same CIDR range to avoid confusion for UTM. 

Thanks,

There's still not enough precise detail for me to be sure, so I'll just make some guesses... If your UTM in AWS has access to all of the subnets, I would VPN to it and not to the individual devices.  If it doesn't have direct access, you could configure site-to-site tunnels between the UTM and each device.  If you're connecting to other UTMs, use the approach described in How to allow remote access users to reach another site via a Site-to-Site Tunnel.  Any luck with any of those ideas!

Cheers - Bob

Hi Bob,

I have tried drawing a diagram of my topology , at present i can connect to VPN1 , VPN2 , VPN3 or VPN4 only one at a time  i want to connect them simultaneously so that i can access hosts in VPC1 as well VPC2 or VPC 3  without loosing connection to the other other hosts. 

So my question is .. is it doable with sophos vpn client to connect to multiple vpns at a time or its a limitation we cannot overcome.  We have to keep on jumping between various vpns to support different apps in different VPCs

Hi Bob,

I have tried drawing a diagram of my topology , at present i can connect to VPN1 , VPN2 , VPN3 or VPN4 only one at a time  i want to connect them simultaneously so that i can access hosts in VPC1 as well VPC2 or VPC 3  without loosing connection to the other other hosts. 

So my question is .. is it doable with sophos vpn client to connect to multiple vpns at a time or its a limitation we cannot overcome.  We have to keep on jumping between various vpns to support different apps in different VPCs

You're right, Vibhor, you can connect only to a single SSL VPN server at a time.  Using the link in my previous post, I would establish IPsec tunnels from a single UTM to each of the ones you want to reach.  In that way, you can reach all of the subnets by VPNing into a single UTM.

Cheers - Bob

Thanks Bob,

So what i get is that i have to setup a IPsec VPN between the 2 Sophos UTM or for that matter all of the them so that i can connect to one Sophos VPN and should be able to access other VPC's instances as well without having to log of. 

I have one more question .. wouldn't this IPSec tunnelling would interfere in the DNS subsystem .. as each VPC has its own Route53 DNS and hosted zones but .. non-overlapping CIDRs 

And do we have more detailed link to set up IPsec tunnelling i m still learning Sophos and in early stages of that learning process. 

I have one more question .. wouldn't this IPSec tunnelling would interfere in the DNS subsystem .. as each VPC has its own Route53 DNS and hosted zones but .. non-overlapping CIDRs 

If you're using the SSL VPN client, there are only two DNS IPs on the 'Remote Access >> Advanced' page, so I'm not sure how there could be any interference.

In the main UTM, SSL VPN Remote Access would be configured with 'Local Networks' containing however many CIDRs it takes to cover all of the other UTMs you need to reach.  I would suggest changing "VPN Pool (SSL)" in this UTM to 10.242.102.0/24 to avoid any potential conflict with SSL VPNs in the other UTMs.

The only tricky part is if the "Main" UTM is also in AWS.  On the 'IPsec' 'Advanced' tab, in 'Preshared Key Settings', select "IP Address" and in 'VPN ID', put the fixed public IP that your instance uses.  Select 'Enable probing of preshared keys'.

In this UTM, the IPsec Connections should use a unique PSK for each of the other UTMs and 'Local Networks' would contain "VPN Pool (SSL)."  Select 'Type: Respond only' in each of the Remote Gateways and add the IPs/subnets you need to reach at each 'Remote Networks'.

In each of the other UTMs, you will configure a Network definition called "VPN Pool Main (SSL)" for 10.242.102.0/24.  You will want to add that to 'Allowed Networks' in 'WebAdmin Settings' and on the 'Shell Access' tab of 'System Settings'.  In the IPsec Connection, 'Local Networks' contains the IPs/subnets you need to reach there.  In the 'Remote Gateway', select 'Type: Initiate connection' and add the new "VPN Pool Main (SSL)" object to 'Remote Networks'.

I did that pretty quickly, so please let me know if this works for a test site.

EDIT 6 hours after I posted this: Ahh, I see your question about DNS now.  If you need to access resources by FQDN at those remote sites, you will also need a Host with a DNS Hostname entry in the Main UTM for each FQDN you will want to use.  Either that, or you will need a Request Route for each domain name and server.

Cheers - Bob