This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site SSL VPN manually route traffic

I am working on configuring a VPN tunnel for my home office. The issue I am running into is that my home IP scheme is the same as my office IP scheme. I have a working SSL VPN Site-to-Site connection allowing the correct remote and local IP ranges; however, any time I try to access one of the IP addresses at the office, the Sophos XG tries to route the traffic locally to my home subnet. Is there any way to force the routing through the SSL VPN?

The PC I am using is in a dedicated Zone with a dedicated IP range that is completely different from my LAN. I have added firewall rules to allow traffic between the office LAN and this dedicated LAN on both sides (using the appropriate Zones on either end). The office Sophos is the SSL VPN server and my home Sophos is the client. Adding a firewall rule to drop traffic between this Zone and the LAN on my local Sophos does not help...

Any thoughts would be greatly appreciated.

Thanks.

This thread was automatically locked due to age.

Parents

0 FormerMember over 5 years ago

Hi Rick Fredley

Thank you for reaching out to the Community!

There is no option to apply NAT with SSL site to site VPN. You could try to configure SNAT with LAN to VPN rule on your home XG.

However, it is possible to apply NAT with IPsec site to site VPN; please check out the following KBA for more info: Sophos XG Firewall: How to use NAT over a Site-to-Site IPsec VPN connection.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Fredley over 5 years ago in reply to FormerMember

I wouldn't think a NAT is necessary. The computer I am using is not in the LAN... It is in a separate zone. The Sophos just seems to route traffic from that Zone to the LAN instead of through the SSL VPN tunnel. Is there any way to address this?

Office:

    Zone: LAN = 192.168.0.0/23

Home:

    Zone: EXTRA = 192.168.20.9/29

    Zone: LAN = 192.168.0.0/24

The SSL VPN connection is configured to allow traffic between the Office LAN and the Home EXTRA. The Office firewall has a rule allowing traffic to and from the LAN and VPN Zones with the host entries for the Office LAN and the Home EXTRA. The Home firewall has a rule allowing traffic to and from the EXTRA and VPN Zones with the host entries for the Office LAN and the Home EXTRA.

The issue is that the host entry for the Office LAN is functionally the same as the Home LAN. So even though the firewall rule is at the top of the list, the Sophos always tries to route traffic to that subnet to the Home LAN instead of through the VPN. There must be some way to keep traffic from the EXTRA Zone from being routed to the LAN Zone I would think.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Rick Fredley over 5 years ago in reply to FormerMember

I wouldn't think a NAT is necessary. The computer I am using is not in the LAN... It is in a separate zone. The Sophos just seems to route traffic from that Zone to the LAN instead of through the SSL VPN tunnel. Is there any way to address this?

Office:

    Zone: LAN = 192.168.0.0/23

Home:

    Zone: EXTRA = 192.168.20.9/29

    Zone: LAN = 192.168.0.0/24

The SSL VPN connection is configured to allow traffic between the Office LAN and the Home EXTRA. The Office firewall has a rule allowing traffic to and from the LAN and VPN Zones with the host entries for the Office LAN and the Home EXTRA. The Home firewall has a rule allowing traffic to and from the EXTRA and VPN Zones with the host entries for the Office LAN and the Home EXTRA.

The issue is that the host entry for the Office LAN is functionally the same as the Home LAN. So even though the firewall rule is at the top of the list, the Sophos always tries to route traffic to that subnet to the Home LAN instead of through the VPN. There must be some way to keep traffic from the EXTRA Zone from being routed to the LAN Zone I would think.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data