Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 32663 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG210 to XG125 RED TUNNEL - SSL VPN from one XG could not access the other XG's network.

VikenNajarian

Hello,

 

I have succesfully connected a XG210 and a XG125 with RED site-to-site tunnel. From the network of the XG210 (10.69.95.0) i can ping the network of the XG125 (10.69.94.0).

But when a client connects via SSL VPN on the XG210 he could not ping the network of the XG125, he can only ping the XG210 network and this is the same for the users connecting to the XG125 via SSL VPN, they can not ping the XG210 network, but can only access the XG125 network.

 

Is there any tips to permit the trafic to pass the RED tunnel from SSL VPN ?

 

Thank you.


Regards,


Viken NAJARIAN



This thread was automatically locked due to age.
Parents
  • 0

    Hello, First of all, is it a RED or a site-to-site?

    If it's a red(meaning you have extra red interfaces on your networks) you have to do the following:

    Make a lan to lan accept rule on your firewall

    Make a lan to vpn and a vpn to lan accept rule on your firewall

    Maybe group them with a name VPN&RED to keep things tidy.

    This should be done on both XG

     

    Most important:

    You have to make a unicast rule to all sfos devices. Go to Configure-Routing  and under ipv4 unicast rule add one with the following:

    From the 210 add Destination ip 10.69.94.0, gateway the RED 125 ip (192.168.250.253 if i understand) and interface the red interface

    From the 125 add destination ip 10.69.95.0, gateway the RED 210 ip (192.168.250.254 if i understand) and interface the red interface

     

    Should work instantly either via lan and via VPN. I'm using the same setup with 3 XGs with sslvpn & RED and 192.168.x.x for all my networks and working fine

  • 0 in reply to Panagiotis Vakerlis

    Hello, thank you for your answer.

    The goal was to connect both XG to have the networks to communicate with each other.

    I first tried to make it working with RED thinking it was the faster and easier. Then i deleted the RED tunnel because of this SSL VPN problem and I created a site-to-site IPSec tunnel between the 2 XGs.

    I did all you said except the lan to lan accept rule because I have Vlans and I can’t make a rule like this « lan to lan accept any » because of some vlans restrictions.

    I just created rules like that:

    I created a new zone named RED.

    Firewall rules:

    Red zone to Lan zone accept any

    Lan zone to Red zone accept any

    Vpn zone to Red zone accept any

    Red zone to Vpn zone accept any

    Created the static routes on both XG with the right red Ip gateway and interface.

    Just have to say that i can reach the XG125 network from the XG210 network with no problem, the routing is working well. The only thing which doesn’t work is only when I try to reach the XG125 network while connected with SSL VPN on the XG210 and vice versa.

    Thing that is now workig after deleting the RED configuration and creating a site-to-site IPSec VPN tunnel between the two XGs.

    Is there any disadvantage using IPSec tunnel instead of RED to connect the two XGs ?

    Thank you.

  • 0 in reply to VikenNajarian

    Probably the VPN>RED and RED>VPN should be VPN>LAN & LAN>VPN as you already have forward rules for lan>RED and back. Just make sure VPN<>LAN rules are above LAN<>RED rules and report back. I'm not on vlans so can't test for sure. RED is an remote ethernet device so in simple words it's like plugging a switch to your network, only it's from the internet. In XG reds and not native REDs I haven't seen any real difference 

  • 0 in reply to Panagiotis Vakerlis

    I have created VPN>LAN and LAN>VPN rules aswel but it still doesn’t work. From ssl vpn i couldn’t even ping the RED IP while when I’m connected directly on the XG210 or XG125 I can ping the RED IP.

  • 0 in reply to VikenNajarian

    Did you check the dump?

    Sounds like the route to VPN Network is not existing on XG125.

    If you enable MASQ on both rules, does it work?

  • 0 in reply to LuCar Toni

    I agree with you for the dump... But well... 

    I enabled MASQ on both rules and it still doesn't work...

     

    I give up to make the RED working. I will rebuild my IPSec site-to-site VPN which sounds better because I have multiple WAN on both sides and ipsec site-to-site can failover between the different WANS while RED could just failover the server side and not the client side.

     

    Thank you all for your help.

     

  • 0 in reply to VikenNajarian

    Now I understood what the problem is!

    I had the same problem. The solution is to use a totally different ip range(and on different subnet) for your vpn lease on one of the 2 xgs. Because by default all the xgs have the same vpn lease range, it doesn't route properly. You can change that on Configure-vpn-Show VPN settings, vpn lease. Just on one of the 2(preferably the remote one because you don't have a reason to connect directly on that via vpn) to another set and you should be ok

  • 0 in reply to Panagiotis Vakerlis

    Hello,

     

    This is what i've done. The XG210 VPN SSL range is 10.81.233.0/24 and XG125 VPN SSL range is 10.81.234.0/24 but the problem was still present.

Reply Children
  • 0 in reply to VikenNajarian

    Ok, there has to be something in the configuration gone wrong. I have the same setup with 2 reds (all XG, not native reds) and it's working properly.

    We'll go baby steps.

    First of all, make sure both the XG's have all the firmwares and pattern updates same

    Make sure time is correct on both

     Reboot both devices

    Second step. Initiate a RED connection between the xgs. The step is pretty straightforward, you should just have a green connection and be able to ping all your networks from inside on BOTH sites. Remember the unicast rules and the lan to lan rules.

    Third step. Create a vpn profile and in tunnel access add your networks (eg. Central network 192.168.1.0/24, Remote site 192.168.2.0/24). 

    Next step add firewall rule vpn to lan. The vpn to lan rule should have source vpn-any and as destination LAN(of course) and destination networks your networks(central, remote site). Do that for both xg. Also a lan to vpn on the Central one(any any, no masq)

    On VPN Settings the one lease range is the default, the other make it 10.81.244.5(same is mine, I did it on the remote site). Don't know if it makes a difference, but it's worth to try it out.

     

    Quick question: how do you communicate with the red network when you don't have a LAN>LAN rule because of vlans?

  • 0 in reply to Panagiotis Vakerlis

    Hello,

     

    I will test it this week end and will tell you.

     

    I created a new zone named RED instead of placing the RED interfaces in the LAN zone in order to be able to filter the traffic between the VLANs without impacting the RED traffic.

     

    So my main firewall rule to permit the communication between the RED networks is a RED>LAN and LAN>RED rule.

     

    All the traffic works correctly between the 2 sites and the networks. The only thing which don't work is the traffic between the VPNSSL from site A to site B and VPNSSL from site B to site A.

     

     

    An IPSec tunnel is now connected between the 2 XGs for 2 weeks and it works well, even the VPNSSL from one XG to the another.

  • 0 in reply to VikenNajarian

    Ok just make sure of the following tips:

    On the central one you'll make a lan>vpn and a vpn>lan rule and on the remote one you'll only make a vpn>lan rule

    Also on administration,device access I have ping and dns enabled for the vpn, if it helps

  • 0 in reply to Panagiotis Vakerlis

    Already did this, still not working.