Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 29 subscribers
  • Views 4212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't reach Sophos Connect Client via VPN tunnel from LAN "lan_to_vpn"

Tom Krämer

Also german language is welcome ;-)

 

Envorionment:

Sophos XG210 / SFOS 17.5.10 MR-10

 

Setup:

LAN = LAG with two ports and multiple VLANs

VLAN70 = 10.10.70.0/24

 

Sophos Connect Client:

IP-Range 10.10.150.150 - 10.10.150.250

 

Firewall:

Source: VLAN_70/IP:10.10.70.20 | Dest: VPN/Any/Any

(there are of cource many more rules ...)

 

Situation:

The Sophos connect client can establish a VPN connection. It can reach all internal services permitted by firewall rules.

From VLAN_70/IP:10.10.70.20 i can't reach the a VPN-Client (for example 10.10.150.150) when it's connected. (Thinks like Client-FW and so on were disabled for the test)

From Sophos diagnostic i can ping the VPN-Client successful.

The "Policy test" said, the firewall rule described above, will match and accepted the traffic.

 

Question:

It should be possible to reach a Sophos connect client via VPN from internal VLANs as described above or?

What's the pitfall here? I need a hint.

 

If you need more information, let me know it.

 

Thx



This thread was automatically locked due to age.
  • 0

    Tom,

    make sure that use the tunnel all option.

    Here the KB:

    https://community.sophos.com/kb/en-us/133109

    Also make sure to not enable MASQ on the LAN to VPN firewall rule.

    Regards

  • 0 in reply to lferrara

    @

    Thanks for the hints.

    • Also make sure to not enable MASQ on the LAN to VPN firewall rule.
      • MASQ ist not enabled in this particular fw-rule
    • make sure that use the tunnel all option.
      • I tested yesterday both. Our default "split tunnel" as well as a "tunnel all" config

    FYI:

    Our Split Tunnel config -> All necessary subnets are included. All VLAN-subnets are in IP range 10.10.0.0/16 and this subnet is in our "split tunnel" VPN-Client config included.

     

    Thx

  • 0 in reply to Tom Krämer

    Tested the setup with "split tunnel" and "tunnel all" yesterday again to be sure not made a mistake. Problem exists further.

    From "advanced shell" i tested (ping/traceroute). Both tests were successful.

    From VLAN_70 (Windows PC)

    • ping = Request timed out
    • tracert = Stops after 30 hops

    Firewall-Rule for this case shows outgoing traffic but no incoming traffic.

    It seems to be routing problem.

    "advanced shell" "route -n" -> all needed routes are present (VLAN_70 and tun0)

     

    Where is the pitfall in this setup? Does anyone have a hint what i should pay attention to or what could cause problems in this setup?

     

    Thx

  • 0 in reply to Tom Krämer

    We are facing the same problem. advanced shell pings to both networks (VPN and Server network) are successful, route -n shows that needed routes are present.

     

    Any updates on this topic? Did you find a solution?

  • 0 in reply to Tom Baier

    Unfortunately, no. A ticket at sophos support has already been opened. Unfortunately I am currently only being passed on from one supporter to the next. Not very professional for paid support.

  • 0 in reply to Tom Krämer

    Hi Tom Kramer,

    Sorry for the inconvenience caused to you! I would request you to PM us the service request number, I will check and try to arrange assistance as soon as possible.

  • 0

    This may have been the same issue unresolved but on old sfos + sophos connect version: https://community.sophos.com/products/xg-firewall/f/vpn/111869/internal-traffic-outbound-to-sophos-connect-vpn-clients

    I'll be revisiting testing on current sfos + sophos connect to verify if internal >> vpn traffic is still problematic.

  • 0 in reply to onward 
    This is exactly our problem. 

    "Support": Now the third support employee is working on our case. The case has been open since March 20, 2020. ^^
  • 0 in reply to Tom Krämer

    Hi  

    Sorry for the inconvenience caused to you! I would request you to PM us the service request number, we will check the case and inform you further.

  • +2 in reply to Tom Krämer

    Finally, the case was escalated and I received the solution.

    By default, the Sophos Connect VPN Clients are intended to be isolated, so no internal IPSec_route to the VPN Client Network is being created when saving changes to the Sophos Connect VPN settings. Currently, there is no option in the GUI to change that behaviour. So after setting up the Sophos Connect Configuration, the used ip range or network needs to be added to an IPSec_route manually using the shell.

    If you set up the Client using the GUI, you specified an IP range (typically a whole subnet) and a Name in the Client Information section. Using these values, run the following command in the shell:

    console> system ipsec_route add net [network]/[mask] tunnelname [Sophos Connect Client Name]

    Use the following command to verify the successful creation:

    console> system ipsec_route show

    Important: make sure the routing precedence is Policy, VPN, Static. However, this may lead to problems in environments where MPLS is active. But it does not affect the Sophos XG's HA capabilities.

    console> system route_precedence show
    1. Policy routes
    2. VPN routes
    3. Static routes