Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 4910 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN clients cannot conect local network

Binu V

Daer all, I created SSL VPN in Sophos UTM 9 and clients are connected successfully, but not able to connect VPN clients to local network and gateway in VPN client not showing . Please find the below configuration and help me to do the same. 

Remote Acces Profile

Profile name : SSL Profile

Users : james

local network : Internal (Network)

Automatic firewall rules : yes

Log:

james/157.45.184.157:14079 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/conf.d/james
james/157.45.184.157:14079 MULTI_sva: pool returned IPv4=10.242.2.2, IPv6=(Not enabled)
id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="james" variant="ssl" srcip="157.45.184.157" virtual_ip="10.242.2.2"
james/157.45.184.157:14079 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
james/157.45.184.157:14079 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_38ce6b728f840b66da7a80b4f80af08b.tmp
james/157.45.184.157:14079 MULTI: Learn: 10.242.2.2 -> james/157.45.184.157:14079
james/157.45.184.157:14079 MULTI: primary virtual IP for james/157.45.184.157:14079: 10.242.2.2
james/157.45.184.157:14079 PUSH: Received control message: 'PUSH_REQUEST'
james/157.45.184.157:14079 send_push_reply(): safe_cap=940
james/157.45.184.157:14079 SENT CONTROL [james]: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ifconfig 10.242.2.2 255.255.255.0' (status=1)
TCP connection established with [AF_INET]192.241.205.181:53668 (via [AF_INET]<firewall_WAN_IP>:443)
192.241.205.181:53668 Non-OpenVPN client protocol detected
192.241.205.181:53668 SIGTERM[soft,port-share-redirect] received, client-instance exiting



This thread was automatically locked due to age.
Parents
  • 0
    Binu V said:
    Non-OpenVPN client protocol detected

    That line comes from your logfile (second line from the bottom).

    Not sure what it means, but could it be that you have another service listening on the same port as the configured SSL VPN port? Maybe a DNAT to something that causes this.

    Which client are you using? Sophos' own SSL VPN client? If so does the traffic light turn green or is it staying yellow?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks for the reply.

    I am using sophos own vpn client, there is no any traffic between VPN clients and local network.

  • 0 in reply to Binu V

    I understood that, but the Sophos client uses a traffic light icon in the traybar. If you connect does it turn green or does it stay yellow?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks for the reply.

    It's showing green and the pop-up is successfully connected and assigned IP

  • 0 in reply to Binu V

    Okay, do you have "automatic firewall rules" ticked in the VPN-profile?

    If not, then you should have a manually created firewall rule allowing traffic from the VPN-client to your LAN.

    Can you confirm that you have either one of those?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • +1 in reply to Binu V

    Bad Design - you have overlapping networks, please use 172.16. instead of 10.0 for one side

    Or use 255..255.255.0 subnetmask for all networks

  • 0 in reply to apijnappels

    Thanks for the reply.

    Automatic firewall rule is enabled while create profile.

  • 0 in reply to Binu V

    you are clear connected, but youre computer dosent now the way, because local wlan IP is overrange the vpn Network

    --see picture post before-

  • 0 in reply to Joerg-ST

    Could be but not quite sure... the routes specify the interface that should be used and since that is 255.255.255.255 it "should" be known.
    could you open a command prompt when connected and then type the following command:

    tracert -d 192.168.1.x   (where x should be a valid IP from a server you should reach).

    Give us the output of that command please.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks for the reply.

    I jest changed VPN network pool to 172.16.0.0/24 and LAN network 192.168.1.0/24. Now it's working fine

Reply Children
No Data
Unfiltered HTML