https://community.sophos.com/utm-firewall/f/vpn-site-to-site-and-remote-access/130004/ssl-vpn-site-to-site-ssl-and-remote-access-ssl-vpn-ubiquiti-edgeos-as-clientHello I have some &quot;quasi newbie&quot; question about UTM 9 site-to-site and remote access SSL VPN. We have used on UTM 9 since some years remote acces SSL with OpenVPN-clients and for Site-to-Site connections IPSec. Now we would like to change for Site-toen-USTelligent Community 12https://community.sophos.com/thread/477795?ContentTypeID=1Sat, 11 Sep 2021 20:33:47 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:4813d351-cc5b-4d82-ac76-dd8e1036b5a4BAlfson<p>That looks great,&nbsp;<span>Andr&eacute;!&nbsp; Thanks for sharing and helping the next person that needs to make the same connection.</span></p> <p><span>Cheers - Bob</span></p><div style="clear:both;"></div>https://community.sophos.com/thread/477771?ContentTypeID=1Sat, 11 Sep 2021 09:31:46 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:3b7eb367-99b3-49ff-8425-2ae49f9231c7relume<p>Hello Bob</p> <p>Many thanks for your reply and your considerations/hints. I am sorry to get back only today - I had&nbsp; some difficulty to make it work (old cached routes etc. from previous IPsec connections). Now I have some more&nbsp;clearness how the &quot;things&quot; work (also to my previous questions):</p> <p></p> <ol> <li>Port-Number and Protocol: in UTM 9.7 the settings for the port-number and protocol-type (UDP/TCP) are the same for SSL VPN Remote Access and for SSL VPN Site-To-Site. Thus if the settings are changed in one of the sections (Remote Access or Site-To-Site) the settings change for both SSL VPN types.&nbsp; Thus it is not possible to separate SSL VPN types (Remote Access or Site-To-Site) by different protocol or ports. The same is true for the SSL VPN IP pool. The IP pool setting is the same for both SSL VPN types. That is somewhat strange, as in other OpenVPN installations every SSL VPN instance can have a different port and protocol</li> <li>&nbsp;-</li> <li>SSL VPN tunnel IP space: UTM 9.7 pushs for the SSL VPN Site-To-Site a corresponding SSL VPN client a complete route where tunnel routing is comprised and SSL VPN tunnel IP space is given by the UTM from the selected SSL VPN pool (default SSL VPN IP pool 10.242.2.0/24). UTM takes 10.242.2.0 and other routers in the routing information will given randomly from this subnet. Thus SSL VPN Remote Access and SSL VPN Site-To-Site clients are sharing the same SSL VPN tunnel IP subnet. If an SSL VPN Site-To-Site profile is given a static virtual IP addresss an additional hop is comprised in the route pushed to the client. The virtual static IP can not be part of the pool.</li> <li>For the Ubiquity EdgeOS Router I was able to compose an .opvn conform conf file from the UTM .apc file by coping over the corresponding data (certs, key, user password, cipher etc.) where user and password are set in the file &quot;mysite.creds&quot; referenced in the conf-file:</li> </ol> <p></p> <p><pre class="ui-code" data-mode="text">client dev tun proto udp remote openvpn.yourserver.com 443 verify-x509-name &quot;C=XX, L=XX, O=XX, CN=XX, emailAddress=XX&quot; resolv-retry infinite remote-random nobind persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo yes hand-window 30 auth-user-pass /config/auth/openvpn-mysite/mysite.creds route-delay 4 verb 3 reneg-sec 0 fast-io cipher AES-128-CBC auth SHA512 &lt;ca&gt; -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- &lt;/ca&gt; &lt;cert&gt; -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- &lt;/cert&gt; &lt;key&gt; -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- &lt;/key&gt;</pre></p> <p>Best regards,</p> <p>Andr&eacute;</p><div style="clear:both;"></div>https://community.sophos.com/thread/477678?ContentTypeID=1Thu, 09 Sep 2021 18:59:46 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:26a8cd29-1ab1-445c-8500-7c9045b70691BAlfson<p>Hallo&nbsp;<span>Andr&eacute;,</span></p> <ol> <li><span>I usually use UDP 443 for SSL VPN, both S2S and Remote Access.&nbsp; UDP makes the tunnels faster than using TCP.&nbsp; Because of Google using UDP 443, packets using that port are not blocked by any European ISP that I&#39;ve heard of.</span></li> <li><span>I&#39;ve used TCP 1443 for SSL VPN in the past, but that was just to keep those tunnels clearly separated from any DNATs, and Web Server Protection where TCP 443 is what the world expects.&nbsp; In the same vein, I usually configure the User Portal on TCP 2443.</span></li> <li><span><span>If you have distinct, non-overlapping subnets, you don&#39;t need transfer nets as described in&nbsp;<u><a href="https://support.sophos.com/support/s/article/KB-000034290?language=en_US" rel="noopener noreferrer" target="_blank"><span style="font-family:Verdana, sans-serif;"><span style="font-size:small;">How to tunnel between two UTMs which use the same LAN network range</span></span></a></u></span></span><span>.</span></li> <li><span><span>I&#39;ve not had a client need to do this, so I didn&#39;t keep a record of a recommended way to solve this problem.&nbsp; If you search here, you&#39;ll find several answers.&nbsp; My preference is for IPsec using X509 authentication:&nbsp;<u><a href="https://support.sophos.com/support/s/article/KB-000037104?language=en_US&amp;c__displayLanguage=en_US" rel="noopener noreferrer" target="_blank"><span style="font-family:Arial, sans-serif;"><span style="font-size:small;"><span>How to create an IPsec Site-to-Site VPN with X509 authentication</span></span></span></a></u></span></span><span>.</span></li> <li><span>This is basically the same quest as 4.</span></li> </ol> <p><span>Cheers - Bob<br />PS One of the unwritten rules practiced here is &quot;One topic per thread&quot; as that makes it easier for others to find answers without having to start their own thread.</span></p><div style="clear:both;"></div>