Possible to create IPSec VPN tunnel to a device behind the RED50?

Hello all,

Hope everyone is staying safe in these times. Warning I'm a "newb" to Sophos items still and intermediate in networking, but I learn fast. :) )

We have a remote building that uses a RED50 to tunnel back to us here at HQ. Our builder requires access to the HVAC system via VPN to their controller.  Presently the RED is configured in Standard / Unified. We have 3 Static Public IPs available for the site and I was looking at providing access to their HVAC Controller via the RED50 using one of these IPs. Can this be done and if so I assume the RED would have to be configured to Standard / SPLIT? I want to split out all of our sites anyhow, now that we are going to be using Exchange/Office Online.

Parents
  • Well "small" update. I think I'm going to have to forward the ports and set an IP from our main HQ Pool, as it is not a VPN/IPSec tunnel that they need, but rather a VPN login to the network, which is not happening unless I can create a separate VPN network for guest devices? For now I'll forward the ports for them to their device "webserver".

  • It should be straightforward to allow them to reach the HVAC controller via remote access without NATs and other messy stuff, Dave, and yet not allow them to "see" anything else.  In your diagram, I don't understand how there's a separate 192.168.x.x subnet if you only have switches and the RED is in Unified mode.  What VPN client are they using?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Let me clarify. The 192.168.X.X subnet is their default equipment setup. I'm still learning about their software in use and what the controller's requirements are. From what I read they use TCP/UDP and BACnet. This was "lovingly" dropped on my lap at the last minute (HVAC tech's showed up at that new building).  They can modify the IPs as required.

    Right now I don't think I can setup a tunnel direct from their network to their HVAC Controller. The tech I spoke with stated "typically we get a VPN login and connect that way". I would love to set them up on a different subnet than what that office is using, through the RED and then create a remote access VPN user for them that only goes to that subnet. 

    Right now I used one of our spare external IPs at HQ and set up DNAT and SNAT rules pointing that IP to their HVAC controller, with the 4 ports they stated their software uses. However, this apparently doesn't give them full access to the end-points they need. If I know I can get them on a different subnet 192.168.X.X and isolate it securely from the rest of our networks, with access via the external IP and all ports open that may start. I fear, that we will have to get a full UTM 9 SG device to that office, so I can properly split out the connections. As it stands, if our ISP at HQ goes down, there won't be any access for them.

    Our office there has 4 available external IPs, if required, but again would need an SG. From what I was reading, a RED can't use tagging, if in SPLIT mode.

    -Dave

  • Dave, let's say their controller is at 10.1.2.222 inside your 10.1.0.0/22 subnet and that they want to connect via L2TP/IPsec. Create a Host definition "HVAC Contrroller" for that IP.  Add a user named "HVACguys" and supply them the credentials they need to connect.  If you had already configured L2TP/IPsec access, you probably made a firewall rule like 'VPN Pool (L2TP) -> Any -> Internal (Network) : Allow'.  First, put a new firewall rule in just before that one: 'HVACguys (User Network) -> {port(s) they need} -> HVAC Controller : Allow'.  Finally, between the new and old rules 'HVACguys (User Network) -> Any -> Any : Block'.

    That gets you over the first hurdle immediately.  If they have a tool on their box that can access other devices on its subnet, the first step would be to confirm that the subnet mask for their device's NIC is 255.255.255.255 and that they have the IP of your "Internal (Address)" as their default gateway.  Ultimately, you might need to create a separate subnet for them, but we don't know what they have.  They should be able to get an answer for you from the supplier of the HVAC Controller about whether it's possible for the unit to access other devices on its Ethernet segment.

    Can that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, thanks so much for replying. I have a potentially silly question, as I did not setup this UTM originally, am using SSL VPN (did not setup either) and don't have L2TP configured. Can I/we use multiple RA types at the same time? So if I enable and configure L2TP will it stop SSL R.A from working? Also, if I can do both and do setup L2TP, can I create a new pool, and tie that pool directly to a subnet of the HVAC devices?

    Example:

    HQ = 10.225.X.X/24  external 75.X.X.X
    RED/Remote site = 10.71.X.X/24
    Proposed HVAC subnet = 192.168.5.0/24 or 10.5.5.0/24

    So they would connect to 75.X.X.X which would direct them to 192.168.5.0/24 or 10.5.5.0/24

    Finally, if I do create the different (isolated) subnet, can I define a public DNS (1.1.1.1 or 8.8.8.8) for it OR should I let them set it manually on their controller?

  • Even easier, Dave.  The SSL VPN already offers a way to restrict a user to a single device.  Make an SSL VPN Profile with "HVACguys" as the user, "HVAC Controller" all by itself in "Local Networks" and check 'Automatic firewall rules' or use the same rule as above:  'HVACguys (User Network) -> {port(s) they need} -> HVAC Controller : Allow'.  Done.

    You'll still need to consider my second paragraph above.  If you want additional security, you could require them to use a One-Time Password (Definitions & Users >> Authentication Services).

    In any case. I would not give them a DNAT or a separate public IP for connecting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, thank you ever ever ever so much. To clarify (as I'm a visual person). I would remove anything I have setup in FW and external IP routes and create the following (below). Would the HVAC Controller network profile be the internal range of the devices in the last screenshot (I have to either set a DHCP range for them or set them to static, from the default 192.168.X.X ones they have now). Finally they would then get our HQ's UTM IP for SSL login and the install package we give users?



  • Looks perfect to me, Dave!

    I also have a visual-tactile learning style, so I'm right thee with you 100% on pictures.  You'll see that I often ask for them rather than descriptions or just copies of the text that's in a definition.  Same with diagrams instead of descriptions of someone's topology.  It's too much work for me to make descriptions into pictures when pictures are so easy to supply.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Looks perfect to me, Dave!

    I also have a visual-tactile learning style, so I'm right thee with you 100% on pictures.  You'll see that I often ask for them rather than descriptions or just copies of the text that's in a definition.  Same with diagrams instead of descriptions of someone's topology.  It's too much work for me to make descriptions into pictures when pictures are so easy to supply.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data