This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't reach Sophos Connect Client via VPN tunnel from LAN "lan_to_vpn"

Also german language is welcome ;-)

 

Envorionment:

Sophos XG210 / SFOS 17.5.10 MR-10

 

Setup:

LAN = LAG with two ports and multiple VLANs

VLAN70 = 10.10.70.0/24

 

Sophos Connect Client:

IP-Range 10.10.150.150 - 10.10.150.250

 

Firewall:

Source: VLAN_70/IP:10.10.70.20 | Dest: VPN/Any/Any

(there are of cource many more rules ...)

 

Situation:

The Sophos connect client can establish a VPN connection. It can reach all internal services permitted by firewall rules.

From VLAN_70/IP:10.10.70.20 i can't reach the a VPN-Client (for example 10.10.150.150) when it's connected. (Thinks like Client-FW and so on were disabled for the test)

From Sophos diagnostic i can ping the VPN-Client successful.

The "Policy test" said, the firewall rule described above, will match and accepted the traffic.

 

Question:

It should be possible to reach a Sophos connect client via VPN from internal VLANs as described above or?

What's the pitfall here? I need a hint.

 

If you need more information, let me know it.

 

Thx



This thread was automatically locked due to age.
Parents
  • Tom,

    make sure that use the tunnel all option.

    Here the KB:

    https://community.sophos.com/kb/en-us/133109

    Also make sure to not enable MASQ on the LAN to VPN firewall rule.

    Regards

  • @

    Thanks for the hints.

    • Also make sure to not enable MASQ on the LAN to VPN firewall rule.
      • MASQ ist not enabled in this particular fw-rule
    • make sure that use the tunnel all option.
      • I tested yesterday both. Our default "split tunnel" as well as a "tunnel all" config

    FYI:

    Our Split Tunnel config -> All necessary subnets are included. All VLAN-subnets are in IP range 10.10.0.0/16 and this subnet is in our "split tunnel" VPN-Client config included.

     

    Thx

  • Tested the setup with "split tunnel" and "tunnel all" yesterday again to be sure not made a mistake. Problem exists further.

    From "advanced shell" i tested (ping/traceroute). Both tests were successful.

    From VLAN_70 (Windows PC)

    • ping = Request timed out
    • tracert = Stops after 30 hops

    Firewall-Rule for this case shows outgoing traffic but no incoming traffic.

    It seems to be routing problem.

    "advanced shell" "route -n" -> all needed routes are present (VLAN_70 and tun0)

     

    Where is the pitfall in this setup? Does anyone have a hint what i should pay attention to or what could cause problems in this setup?

     

    Thx

  • We are facing the same problem. advanced shell pings to both networks (VPN and Server network) are successful, route -n shows that needed routes are present.

     

    Any updates on this topic? Did you find a solution?

  • Unfortunately, no. A ticket at sophos support has already been opened. Unfortunately I am currently only being passed on from one supporter to the next. Not very professional for paid support.

Reply Children