Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 8294 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic not routing back to tun0 with SSL VPN

Derek Lechner

Sophos XG 210 is NOT the default gateway on my current LAN, nor should it be.

Port 1 - 192.168.10.2/24 & 192.168.200.2/24

Port 2 - Public WAN IPs

SSL VPN 10.10.200.20/24

I am able to successfully connect to the SSL VPN, using LDAP (AD) authentication. 

From the testing VPN laptop (10.10.200.21) I can ping devices on the 192.168.10.0 and 192.168.200.0 networks.  My DNS servers are 10.7 and 10.9, and I'm setting traffic (DNS) in the firewall logs being Allowed.

Firewall rules:

Source VPN, Any Network/Device -> Destination LAN, Any Network.  Match known users Unchecked. Application Control - Allow All, all others default (None). I've also set the Application Control to None, and didn't seem to affect anything.

Source LAN, Any Network/Device -> Destination VPN, Any Network.  Match known users Unchecked. Application Control - Allow All, all others default (None). I've also set the Application Control to None, and didn't seem to affect anything.

I have both of the above firewall rules logging, but I don't see anything Denied going between these LANs/Ports.

Problem

I "think" my problem is, the machines on the 192.168.10.0 and 192.168.200.0 networks don't know how to get back to the 10.10.200.21 device.
I created a static route on one of the servers (10.10.200.0 MASK 255.255.255.0 192.168.10.2).  A tracert on 192.168.200.21 to 10.10.200.21, first hop is 192.168.10.2 and is reached, but the rest of the trace 'Request timed out.'

Do I need to create a route from my 192.168.10.2 interface to tun0?  If so, where is tun0, as I'm not seeing it anywhere.

I'm not able to RDP, or use some applications (which connect via TCP ports).  I see the initial communication, and they are Allowed from tun0 to Port1, but I don't see any return traffic (allowed or denied).



This thread was automatically locked due to age.
  • +1

    Couple thoughts:

     

    1.) Make sure you allow PING/PING6 under Device Access Tab (under System-->Administration) for the VPN Zone.  That will help with pings/traceroutes testing hopefully.

    Your assumption is correct,  your devices don't know how to get back to the VPN network, so...

    2.)  You will need to have a route back to your Sophos VPN network range  from your main LAN router/switch if your hosts default gw is not the Sophos.  If you dont do this you could also NAT your traffic from VPN to LAN by source NAT'ing  communication to your LAN with making the source address be the Internal LAN Interface on the Sophos that applies to any traffic going to your LAN from the VPN.

     

    Your basic firewall rules should be enough for the traffic you're talking about(with the possible addition of the NAT'ing I mention above if you don't have routing setup). I'm also assuming your SSL VPN has the correct subnets setup for tunnel access(Permitted Network Resources  has your LAN subnets listed)

    -Scott

  • 0 in reply to Scott_D_L

    Thanks Scott for confirming what I thought.

     

    I just had to adjust the VPN IP Scope (so the static route on the Default Gateway) so everything would know how to get to the VPN clients.

    Then had to adjust the Firewall rules on the server to allow the new subnet.  

     

    Working great now.