Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 3318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access to hosts in IPSEC site-2-site remote LAN vis SSL VPN

Dirk Sterzenbach

Hi,

my setup is XG in the head office and another one in the branch office.

Head office: 10.10.0.0/16 with some subnets
Branch office: 192.168.0.0/21

IPSEC site-2-site between the two XG working fine, all hosts accessible from branch office to head office and vice versa
SSL-VPN remote access to head office working fine, all host in LAN 10.10.0.0/16 accessible
SSL-VPN remote access to branch office working fine, all host in LAN 192.168.0.0/16 accessible

BUT: Remote SSL-VPN users connected to XG in head office cannot connect to hosts in branch office
and Remote SSL-VPN users connected to XG in branch office cannot connect to hosts in head office

I added firewall rules on both XGs for the other sites SSL VPN networks and the policy tester tells me that access is allowed. It seems to be a routing isse, other members had that isse too:
https://community.sophos.com/products/xg-firewall/f/network-and-routing/101456/remote-ssl-vpn-to-ipsec-site2site-vpns
https://community.sophos.com/products/xg-firewall/f/network-and-routing/96286/sophos-xg---ssl-vpn-no-access-across-ipsec-tunnel
https://community.sophos.com/products/xg-firewall/f/network-and-routing/95675/accessing-host-in-ipsec-vpn-network-from-ssl-vpn-client

One solution seems to be to add a route manually in the console. I am not very familiar with it, so has anyone else a solution for my problem?

Thanks, Dirk

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  and  

    Please follow the below given steps.

    1. Make sure that IP leased to SSL VPN users at HO and BO range should be different from each other and all other IPs added/available in the network to avoid network conflict.

    2. HO SSL VPN IP leased range should be added in XG HO Local Subnet of IPsec VPN configuration the same for the remote subnet.

    3. BO SSL VPN IP leased range should be added in XG BO Local Subnet of IPsec VPN configuration the same for the remote subnet.

    4. Create a VPN to VPN firewall rule and verify the communication.

  • FormerMember
    0 FormerMember in reply to Keyur

    Hi All,

    In addition to the reply from Keyur, I would also suggest you to check if you have local subnet of HO added to SSL VPN profile under permitted network resources on BO, and vice versa.

    Note: If you update existing SSL VPN profile, all users needs to re-download configuration from the UserPortal.

     

  • 0 in reply to FormerMember

    I've tried all of these. But no luck.

    HO subnet in SSL-VPN,

    SSL-VPN subnet at both HO (Local Network) BO (Remote Network) still doesn't work,

Reply Children